diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2013-02-19 18:24:20 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-02-19 18:24:20 +0100 |
commit | 564fb6842b0d0be49a58e1ed30a94b8f0a2c511e (patch) | |
tree | 7c948449a19374c1e489e6fb71ea2d530afe9029 /Bugzilla/Template.pm | |
parent | e2c8da0dfc534ffca6232cc7d370299d5d446604 (diff) | |
download | bugzilla-564fb6842b0d0be49a58e1ed30a94b8f0a2c511e.tar.gz bugzilla-564fb6842b0d0be49a58e1ed30a94b8f0a2c511e.tar.xz |
Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format
r=glob a=LpSolit
Diffstat (limited to 'Bugzilla/Template.pm')
-rw-r--r-- | Bugzilla/Template.pm | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 81d01b426..f70224a9c 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -96,12 +96,15 @@ sub get_format { my $self = shift; my ($template, $format, $ctype) = @_; - $ctype ||= 'html'; - $format ||= ''; + $ctype //= 'html'; + $format //= ''; - # Security - allow letters and a hyphen only - $ctype =~ s/[^a-zA-Z\-]//g; - $format =~ s/[^a-zA-Z\-]//g; + # ctype and format can have letters and a hyphen only. + if ($ctype =~ /[^a-zA-Z\-]/ || $format =~ /[^a-zA-Z\-]/) { + ThrowUserError('format_not_found', {'format' => $format, + 'ctype' => $ctype, + 'invalid' => 1}); + } trick_taint($ctype); trick_taint($format); @@ -127,6 +130,7 @@ sub get_format { return { 'template' => $template, + 'format' => $format, 'extension' => $ctype, 'ctype' => Bugzilla::Constants::contenttypes->{$ctype} }; |