summaryrefslogtreecommitdiffstats
path: root/reports.cgi
diff options
context:
space:
mode:
authorDylan William Hardison <dylan@hardison.net>2018-10-12 04:47:24 +0200
committerGitHub <noreply@github.com>2018-10-12 04:47:24 +0200
commit706d114f14beac2f7c68b4c3a3fc7cb58691aced (patch)
tree1ad08c183966c7d11bc61abcfced6b47dde70a18 /reports.cgi
parent871fc7dd332dadd24a7e6e1db3c7f5e8ef93b00e (diff)
downloadbugzilla-706d114f14beac2f7c68b4c3a3fc7cb58691aced.tar.gz
bugzilla-706d114f14beac2f7c68b4c3a3fc7cb58691aced.tar.xz
Bug 1497487 - Backport bug 767623 to BMO: Use HMAC to generate tokens and sensitive graph filenames
Diffstat (limited to 'reports.cgi')
-rwxr-xr-xreports.cgi14
1 files changed, 6 insertions, 8 deletions
diff --git a/reports.cgi b/reports.cgi
index 1633e37ca..cd24e1ee3 100755
--- a/reports.cgi
+++ b/reports.cgi
@@ -19,7 +19,7 @@ use Bugzilla::Error;
use Bugzilla::Status;
use File::Basename;
-use Digest::MD5 qw(md5_hex);
+use Digest::SHA qw(hmac_sha256_base64);
# If we're using bug groups for products, we should apply those restrictions
# to viewing reports, as well. Time to check the login in that case.
@@ -90,14 +90,12 @@ else {
# Filenames must not be guessable as they can point to products
# you are not allowed to see. Also, different projects can have
# the same product names.
- my $key = Bugzilla->localconfig->{'site_wide_secret'};
my $project = bz_locations()->{'project'} || '';
- my $image_file = join(':', ($key, $project, $prod_id, @datasets));
- # Wide characters cause md5_hex() to die.
- if (Bugzilla->params->{'utf8'}) {
- utf8::encode($image_file) if utf8::is_utf8($image_file);
- }
- $image_file = md5_hex($image_file) . '.png';
+ my $image_file = join(':', ($project, $prod_id, @datasets));
+ my $key = Bugzilla->localconfig->{'site_wide_secret'};
+ $image_file = hmac_sha256_base64($image_file, $key) . '.png';
+ $image_file =~ s/\+/-/g;
+ $image_file =~ s/\//_/g;
trick_taint($image_file);
if (! -e "$graph_dir/$image_file") {