diff options
author | Dylan William Hardison <dylan@hardison.net> | 2018-10-12 04:47:24 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2018-10-12 04:47:24 +0200 |
commit | 706d114f14beac2f7c68b4c3a3fc7cb58691aced (patch) | |
tree | 1ad08c183966c7d11bc61abcfced6b47dde70a18 /reports.cgi | |
parent | 871fc7dd332dadd24a7e6e1db3c7f5e8ef93b00e (diff) | |
download | bugzilla-706d114f14beac2f7c68b4c3a3fc7cb58691aced.tar.gz bugzilla-706d114f14beac2f7c68b4c3a3fc7cb58691aced.tar.xz |
Bug 1497487 - Backport bug 767623 to BMO: Use HMAC to generate tokens and sensitive graph filenames
Diffstat (limited to 'reports.cgi')
-rwxr-xr-x | reports.cgi | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/reports.cgi b/reports.cgi index 1633e37ca..cd24e1ee3 100755 --- a/reports.cgi +++ b/reports.cgi @@ -19,7 +19,7 @@ use Bugzilla::Error; use Bugzilla::Status; use File::Basename; -use Digest::MD5 qw(md5_hex); +use Digest::SHA qw(hmac_sha256_base64); # If we're using bug groups for products, we should apply those restrictions # to viewing reports, as well. Time to check the login in that case. @@ -90,14 +90,12 @@ else { # Filenames must not be guessable as they can point to products # you are not allowed to see. Also, different projects can have # the same product names. - my $key = Bugzilla->localconfig->{'site_wide_secret'}; my $project = bz_locations()->{'project'} || ''; - my $image_file = join(':', ($key, $project, $prod_id, @datasets)); - # Wide characters cause md5_hex() to die. - if (Bugzilla->params->{'utf8'}) { - utf8::encode($image_file) if utf8::is_utf8($image_file); - } - $image_file = md5_hex($image_file) . '.png'; + my $image_file = join(':', ($project, $prod_id, @datasets)); + my $key = Bugzilla->localconfig->{'site_wide_secret'}; + $image_file = hmac_sha256_base64($image_file, $key) . '.png'; + $image_file =~ s/\+/-/g; + $image_file =~ s/\//_/g; trick_taint($image_file); if (! -e "$graph_dir/$image_file") { |