summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2005-12-30 07:55:59 +0100
committerlpsolit%gmail.com <>2005-12-30 07:55:59 +0100
commitede2d35c22621ca7245562bed1152ebcfaca954b (patch)
tree8cea3914baa68569db2d91e1bce5011ca4a8f11e
parent6de0297718b7170f40c30bf536bbb3d8c32e2315 (diff)
downloadbugzilla-ede2d35c22621ca7245562bed1152ebcfaca954b.tar.gz
bugzilla-ede2d35c22621ca7245562bed1152ebcfaca954b.tar.xz
Bug 238780: editversions.cgi should reject newline characters - Patch by Paul <pdemarco@zoominternet.net> r=LpSolit a=justdave
-rw-r--r--Bugzilla/Util.pm12
-rwxr-xr-xeditversions.cgi7
2 files changed, 18 insertions, 1 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 21885bbdc..31a1052e4 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -42,7 +42,7 @@ use base qw(Exporter);
format_time format_time_decimal validate_date
file_mod_time is_7bit_clean
bz_crypt generate_random_password
- validate_email_syntax);
+ validate_email_syntax clean_text);
use Bugzilla::Config;
use Bugzilla::Constants;
@@ -390,6 +390,12 @@ sub is_7bit_clean {
return $_[0] !~ /[^\x20-\x7E\x0A\x0D]/;
}
+sub clean_text {
+ my ($dtext) = shift;
+ $dtext =~ s/[\x00-\x1F\x7F]/ /g; # change control characters to spaces
+ return $dtext;
+}
+
1;
__END__
@@ -639,6 +645,10 @@ into the string.
Returns true is the string contains only 7-bit characters (ASCII 32 through 126,
ASCII 10 (LineFeed) and ASCII 13 (Carrage Return).
+=item C<clean_text($str)>
+Returns the parameter "cleaned" by exchanging non-printable characters with spaces.
+Specifically characters (ASCII 0 through 31) and (ASCII 127) will become ASCII 32 (Space).
+
=back
=head2 Formatting Time
diff --git a/editversions.cgi b/editversions.cgi
index 43816e6aa..be2c8a3c6 100755
--- a/editversions.cgi
+++ b/editversions.cgi
@@ -130,6 +130,9 @@ if ($action eq 'new') {
# Cleanups and valididy checks
$version_name || ThrowUserError('version_blank_name');
+ # Remove unprintable characters
+ $version_name = clean_text($version_name);
+
my $version = new Bugzilla::Version($product->id, $version_name);
if ($version) {
ThrowUserError('version_already_exists',
@@ -242,6 +245,10 @@ if ($action eq 'edit') {
if ($action eq 'update') {
$version_name || ThrowUserError('version_not_specified');
+
+ # Remove unprintable characters
+ $version_name = clean_text($version_name);
+
my $version_old_name = trim($cgi->param('versionold') || '');
my $version_old =
Bugzilla::Version::check_version($product,