summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2011-08-10 01:46:03 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2011-08-10 01:46:03 +0200
commit36e4d1fddb336e0ebfb61e0b7870e2b60c666ef5 (patch)
tree0cdfbda05f2324575d3da845be7d1d1c10d0bc4d /Bugzilla
parente002b3fdae068007cfe20c0ae6f598489161ea48 (diff)
downloadbugzilla-36e4d1fddb336e0ebfb61e0b7870e2b60c666ef5.tar.gz
bugzilla-36e4d1fddb336e0ebfb61e0b7870e2b60c666ef5.tar.xz
Bug 677187: If the attachment filename contains a newline, an error is thrown when trying to download the attachment
r/a=mkanat
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/Attachment.pm10
1 files changed, 7 insertions, 3 deletions
diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm
index 7cd350dde..a39dc3af4 100644
--- a/Bugzilla/Attachment.pm
+++ b/Bugzilla/Attachment.pm
@@ -518,9 +518,13 @@ sub _check_content_type {
my $is_patch = ref($invocant) ? $invocant->ispatch : $params->{ispatch};
$content_type = 'text/plain' if $is_patch;
- $content_type = trim($content_type);
+ $content_type = clean_text($content_type);
+ # The subsets below cover all existing MIME types and charsets registered by IANA.
+ # (MIME type: RFC 2045 section 5.1; charset: RFC 2278 section 3.3)
my $legal_types = join('|', LEGAL_CONTENT_TYPES);
- if (!$content_type or $content_type !~ /^($legal_types)\/.+$/) {
+ if (!$content_type
+ || $content_type !~ /^($legal_types)\/[a-z0-9_\-\+\.]+(;\s*charset=[a-z0-9_\-\+]+)?$/i)
+ {
ThrowUserError("invalid_content_type", { contenttype => $content_type });
}
trick_taint($content_type);
@@ -560,7 +564,7 @@ sub _check_description {
sub _check_filename {
my ($invocant, $filename) = @_;
- $filename = trim($filename);
+ $filename = clean_text($filename);
$filename || ThrowUserError('file_not_specified');
# Remove path info (if any) from the file name. The browser should do this