From 564fb6842b0d0be49a58e1ed30a94b8f0a2c511e Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 19 Feb 2013 18:24:20 +0100
Subject: Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using
 an invalid page format r=glob a=LpSolit

---
 Bugzilla/Template.pm | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

(limited to 'Bugzilla/Template.pm')

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index 81d01b426..f70224a9c 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -96,12 +96,15 @@ sub get_format {
     my $self = shift;
     my ($template, $format, $ctype) = @_;
 
-    $ctype ||= 'html';
-    $format ||= '';
+    $ctype //= 'html';
+    $format //= '';
 
-    # Security - allow letters and a hyphen only
-    $ctype =~ s/[^a-zA-Z\-]//g;
-    $format =~ s/[^a-zA-Z\-]//g;
+    # ctype and format can have letters and a hyphen only.
+    if ($ctype =~ /[^a-zA-Z\-]/ || $format =~ /[^a-zA-Z\-]/) {
+        ThrowUserError('format_not_found', {'format' => $format,
+                                            'ctype'  => $ctype,
+                                            'invalid' => 1});
+    }
     trick_taint($ctype);
     trick_taint($format);
 
@@ -127,6 +130,7 @@ sub get_format {
     return
     {
         'template'    => $template,
+        'format'      => $format,
         'extension'   => $ctype,
         'ctype'       => Bugzilla::Constants::contenttypes->{$ctype}
     };
-- 
cgit v1.2.3-24-g4f1b