summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2012-01-31 16:39:50 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2012-01-31 16:39:50 +0100
commit6c81a8674ac77562584d5033561f8b4d947f23bb (patch)
tree3f3075c09ff6c31cd4901a6182f15ff6ec87cdf2 /Bugzilla
parent907acd417423fe4550d31afe0b16ee15b2ebad18 (diff)
downloadbugzilla-6c81a8674ac77562584d5033561f8b4d947f23bb.tar.gz
bugzilla-6c81a8674ac77562584d5033561f8b4d947f23bb.tar.xz
Bug 714472: (CVE-2012-0448) [SECURITY] utf8 homoglyphs are allowed in email addresses, which could allow an attacker to be CC'ed to private bugs by accident
r=glob a=LpSolit
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/FlagType.pm2
-rw-r--r--Bugzilla/Util.pm2
2 files changed, 2 insertions, 2 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm
index ea81dfe46..b30065a1c 100644
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -310,7 +310,7 @@ sub _check_cc_list {
# - do not contain any illegal character.
foreach my $address (@addresses) {
($address =~ /^[\w\.\+\-=]+@[\w\.\-]+\.[\w\-]+$/
- && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/)
+ && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/)
|| ThrowUserError('illegal_email_address',
{addr => $address, default => 1});
}
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 4c268552b..6d8622e04 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -565,7 +565,7 @@ sub generate_random_password {
sub validate_email_syntax {
my ($addr) = @_;
my $match = Bugzilla->params->{'emailregexp'};
- my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/);
+ my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/);
if ($ret) {
# We assume these checks to suffice to consider the address untainted.
trick_taint($_[0]);