summaryrefslogtreecommitdiffstats
path: root/importxml.pl
diff options
context:
space:
mode:
authormkanat%bugzilla.org <>2008-08-12 16:41:11 +0200
committermkanat%bugzilla.org <>2008-08-12 16:41:11 +0200
commit09a4647650851390eeef594c6b56ca61d04d6d1b (patch)
tree8a0f343b3aeb0315b567b5d78d0b65e7d5889bc8 /importxml.pl
parentb568a50ec728b35fc2615fc4faee9c1d17af0949 (diff)
downloadbugzilla-09a4647650851390eeef594c6b56ca61d04d6d1b.tar.gz
bugzilla-09a4647650851390eeef594c6b56ca61d04d6d1b.tar.xz
Bug 437169: [SECURITY] Local files on the server can be attached to a bug (making them publicly visible) when importing bugs with -attach_path
Patch By Greg Hendricks <ghendricks@novell.com> r=LpSolit, a=mkanat
Diffstat (limited to 'importxml.pl')
-rwxr-xr-ximportxml.pl9
1 files changed, 7 insertions, 2 deletions
diff --git a/importxml.pl b/importxml.pl
index eaec9d99b..6b0c043b4 100755
--- a/importxml.pl
+++ b/importxml.pl
@@ -384,8 +384,13 @@ sub process_attachment() {
elsif ($encoding =~ /filename/) {
# read the attachment file
Error("attach_path is required", undef) unless ($attach_path);
- my $attach_filename = $attach_path . "/" . $attach->field('data');
- open(ATTACH_FH, $attach_filename) or
+
+ my $filename = $attach->field('data');
+ # Remove any leading path data from the filename
+ $filename =~ s/(.*\/|.*\\)//gs;
+
+ my $attach_filename = $attach_path . "/" . $filename;
+ open(ATTACH_FH, "<", $attach_filename) or
Error("cannot open $attach_filename", undef);
$attachment{'data'} = do { local $/; <ATTACH_FH> };
close ATTACH_FH;