From 564fb6842b0d0be49a58e1ed30a94b8f0a2c511e Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 19 Feb 2013 18:24:20 +0100
Subject: Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using
 an invalid page format r=glob a=LpSolit

---
 show_bug.cgi | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

(limited to 'show_bug.cgi')

diff --git a/show_bug.cgi b/show_bug.cgi
index 7b9157959..3956ce4b3 100755
--- a/show_bug.cgi
+++ b/show_bug.cgi
@@ -22,9 +22,11 @@ my $vars = {};
 
 my $user = Bugzilla->login();
 
+my $format = $template->get_format("bug/show", scalar $cgi->param('format'),
+                                   scalar $cgi->param('ctype'));
+
 # Editable, 'single' HTML bugs are treated slightly specially in a few places
-my $single = !$cgi->param('format')
-  && (!$cgi->param('ctype') || $cgi->param('ctype') eq 'html');
+my $single = !$format->{format} && $format->{extension} eq 'html';
 
 # If we don't have an ID, _AND_ we're only doing a single bug, then prompt
 if (!$cgi->param('id') && $single) {
@@ -34,9 +36,6 @@ if (!$cgi->param('id') && $single) {
     exit;
 }
 
-my $format = $template->get_format("bug/show", scalar $cgi->param('format'), 
-                                   scalar $cgi->param('ctype'));
-
 my (@bugs, @illegal_bugs);
 my %marks;
 
@@ -126,5 +125,5 @@ $vars->{'displayfields'} = \%displayfields;
 
 print $cgi->header($format->{'ctype'});
 
-$template->process("$format->{'template'}", $vars)
+$template->process($format->{'template'}, $vars)
   || ThrowTemplateError($template->error());
-- 
cgit v1.2.3-24-g4f1b