diff options
| -rw-r--r-- | bug_form.pl | 1 | ||||
| -rwxr-xr-x | createattachment.cgi | 5 |
2 files changed, 4 insertions, 2 deletions
diff --git a/bug_form.pl b/bug_form.pl index 5938f3aea..d3311fee5 100644 --- a/bug_form.pl +++ b/bug_form.pl @@ -299,6 +299,7 @@ if (Param('useattachmenttracker')) { } my $link = "showattachment.cgi?attach_id=$attachid"; $desc = value_quote($desc); + $mimetype = html_quote($mimetype); print qq{<td><a href="$link">$date</a></td><td colspan=6>$desc ($mimetype)</td></tr><tr><td></td>}; } print "<td colspan=7><a href=\"createattachment.cgi?id=$id\">Create a new attachment</a> (proposed patch, testcase, etc.)</td></tr></table>\n"; diff --git a/createattachment.cgi b/createattachment.cgi index 619abbd26..d665e4498 100755 --- a/createattachment.cgi +++ b/createattachment.cgi @@ -84,8 +84,9 @@ What kind of file is this? if ($mimetype eq "other") { $mimetype = $::FORM{'othertype'}; } - if ($mimetype !~ m@^(\w|-|\+|\.)+/(\w|-|\+|\.)+$@) { - PuntTryAgain("You must select a legal mime type. '<tt>$mimetype</tt>' simply will not do."); + if ($mimetype !~ m@^(\w|-|\+|\.)+/(\w|-|\+|\.)+(;.*)?$@) { + PuntTryAgain("You must select a legal mime type. '<tt>" . + html_quote($mimetype) . "</tt>' simply will not do."); } SendSQL("insert into attachments (bug_id, filename, description, mimetype, ispatch, submitter_id, thedata) values ($id," . SqlQuote($::FILENAME{'data'}) . ", " . SqlQuote($desc) . ", " . |