From 6066ff31980fddc2eb97b987c5bbd1a931495f1e Mon Sep 17 00:00:00 2001 From: Manish Goregaokar Date: Thu, 17 Apr 2014 18:37:11 +0200 Subject: Bug 968576: [SECURITY] Dangerous control characters allowed in Bugzilla text r=glob a=justdave --- Bugzilla/Template.pm | 11 +++++++++++ Bugzilla/Util.pm | 4 ++++ 2 files changed, 15 insertions(+) (limited to 'Bugzilla') diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index cd7507963..08999b27a 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -672,6 +672,17 @@ sub create { my ($data) = @_; return encode_base64($data); }, + + # Strips out control characters excepting whitespace + strip_control_chars => sub { + my ($data) = @_; + # Only run for utf8 to avoid issues with other multibyte encodings + # that may be reassigning meaning to ascii characters. + if (Bugzilla->params->{'utf8'}) { + $data =~ s/(?![\t\r\n])[[:cntrl:]]//g; + } + return $data; + }, # HTML collapses newlines in element attributes to a single space, # so form elements which may have whitespace (ie comments) need diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index c2dbdc97d..48507ff9e 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -91,6 +91,10 @@ sub html_quote { # Obscure '@'. $var =~ s/\@/\@/g; if (Bugzilla->params->{'utf8'}) { + # Remove control characters if the encoding is utf8. + # Other multibyte encodings may be using this range; so ignore if not utf8. + $var =~ s/(?![\t\r\n])[[:cntrl:]]//g; + # Remove the following characters because they're # influencing BiDi: # -------------------------------------------------------- -- cgit v1.2.3-24-g4f1b From 1342bae74db9a67ab0798d3f4ea88f875471deaa Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Thu, 17 Apr 2014 17:13:45 +0000 Subject: Bump version to 4.2.8 --- Bugzilla/Constants.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 9ffb325df..1bae8dd5f 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2.7+"; +use constant BUGZILLA_VERSION => "4.2.8"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; -- cgit v1.2.3-24-g4f1b From b909fa7d401cc1606f2e9c65a5f3e3ee4199e523 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Thu, 17 Apr 2014 21:26:58 +0000 Subject: Bumped version post-release --- Bugzilla/Constants.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 1bae8dd5f..46ff21ebf 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2.8"; +use constant BUGZILLA_VERSION => "4.2.8+"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; -- cgit v1.2.3-24-g4f1b