diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2012-11-13 18:53:55 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-11-13 18:53:55 +0100 |
commit | aecf0a17d1689d957bc8854e55e499839798446f (patch) | |
tree | 8fa84413d8d053e609b5e4b192011f99808b01de /report.cgi | |
parent | 58f2aa2c8e2c87d17eef378f357ddd77ba60f1c0 (diff) | |
download | bugzilla-aecf0a17d1689d957bc8854e55e499839798446f.tar.gz bugzilla-aecf0a17d1689d957bc8854e55e499839798446f.tar.xz |
Bug 790296 (CVE-2012-4189): [SECURITY] Field values are not escaped correctly in tabular reports
r=dkl a=LpSolit
Diffstat (limited to 'report.cgi')
-rwxr-xr-x | report.cgi | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/report.cgi b/report.cgi index de587f143..e70dcf4b2 100755 --- a/report.cgi +++ b/report.cgi @@ -387,5 +387,5 @@ sub get_field_restrictions { my $field = shift; my $cgi = Bugzilla->cgi; - return join('&', map {"$field=$_"} $cgi->param($field)); + return join('&', map {url_quote($field) . '=' . url_quote($_)} $cgi->param($field)); } |