From 6c81a8674ac77562584d5033561f8b4d947f23bb Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 31 Jan 2012 16:39:50 +0100
Subject: Bug 714472: (CVE-2012-0448) [SECURITY] utf8 homoglyphs are allowed in
 email addresses, which could allow an attacker to be CC'ed to private bugs by
 accident r=glob a=LpSolit

---
 Bugzilla/FlagType.pm | 2 +-
 Bugzilla/Util.pm     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm
index ea81dfe46..b30065a1c 100644
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -310,7 +310,7 @@ sub _check_cc_list {
     # - do not contain any illegal character.
     foreach my $address (@addresses) {
         ($address =~ /^[\w\.\+\-=]+@[\w\.\-]+\.[\w\-]+$/
-           && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/)
+           && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/)
           || ThrowUserError('illegal_email_address',
                             {addr => $address, default => 1});
     }
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 4c268552b..6d8622e04 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -565,7 +565,7 @@ sub generate_random_password {
 sub validate_email_syntax {
     my ($addr) = @_;
     my $match = Bugzilla->params->{'emailregexp'};
-    my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/);
+    my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/);
     if ($ret) {
         # We assume these checks to suffice to consider the address untainted.
         trick_taint($_[0]);
-- 
cgit v1.2.3-24-g4f1b