Bug 968576: [SECURITY] Dangerous control characters allowed in Bugzilla text

r=glob a=justdave git-svn-id: svn://10.0.0.236/trunk@265333 18797224-902f-48f8-a5cc-f745e15eee43
2014-04-17 16:45:46 +00:00 · 2014-04-17 16:45:46 +00:00 · ab3da5aade
commit ab3da5aade
parent 550894d547
6 changed files with 20 additions and 4 deletions
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@ -1 +1 @@
-8993
+8994
--- a/mozilla/webtools/bugzilla/.gitrev
+++ b/mozilla/webtools/bugzilla/.gitrev
@ -1 +1 @@
-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3
+58b92d3b0245f6565a7ff34e78fce1e9ec56b355
--- a/mozilla/webtools/bugzilla/Bugzilla/Template.pm
+++ b/mozilla/webtools/bugzilla/Bugzilla/Template.pm
@ -679,6 +679,18 @@ sub create {
                return encode_base64($data);
            },

+            # Strips out control characters excepting whitespace
+            strip_control_chars => sub {
+                my ($data) = @_;
+                state $use_utf8 = Bugzilla->params->{'utf8'};
+                # Only run for utf8 to avoid issues with other multibyte encodings 
+                # that may be reassigning meaning to ascii characters.
+                if ($use_utf8) {
+                    $data =~ s/(?![\t\r\n])[[:cntrl:]]//g;
+                }
+                return $data;
+            },
+            
            # HTML collapses newlines in element attributes to a single space,
            # so form elements which may have whitespace (ie comments) need
            # to be encoded using &#013;
--- a/mozilla/webtools/bugzilla/Bugzilla/Util.pm
+++ b/mozilla/webtools/bugzilla/Bugzilla/Util.pm
@ -75,6 +75,10 @@ sub html_quote {
    state $use_utf8 = Bugzilla->params->{'utf8'};

    if ($use_utf8) {
+        # Remove control characters if the encoding is utf8.
+        # Other multibyte encodings may be using this range; so ignore if not utf8.
+        $var =~ s/(?![\t\r\n])[[:cntrl:]]//g;
+
        # Remove the following characters because they're
        # influencing BiDi:
        # --------------------------------------------------------
--- a/mozilla/webtools/bugzilla/template/en/default/email/bugmail.txt.tmpl
+++ b/mozilla/webtools/bugzilla/template/en/default/email/bugmail.txt.tmpl
@ -19,7 +19,7 @@
 [%- IF comment.count %]
 --- Comment #[% comment.count %] from [% comment.author.identity %] ---
 [% END %]
-[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) %]
+[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) FILTER strip_control_chars %]
 [% END %]

 [% IF referenced_bugs.size %]
--- a/mozilla/webtools/bugzilla/template/en/default/email/flagmail.txt.tmpl
+++ b/mozilla/webtools/bugzilla/template/en/default/email/flagmail.txt.tmpl
@ -69,7 +69,7 @@ Attachment [% attidsummary %]
 [%-# .defined is necessary to avoid a taint issue, see bug 509794. %]
 [% IF Bugzilla.cgi.param("comment").defined && Bugzilla.cgi.param("comment").length > 0 %]
 ------- Additional Comments from [% user.identity %]
-[%+ Bugzilla.cgi.param("comment") %]
+[%+ Bugzilla.cgi.param("comment") FILTER strip_control_chars %]
 [% END %]

 [%- END %]