Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format

Browse Source 
r=glob a=LpSolit


git-svn-id: svn://10.0.0.236/trunk@264770 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
mkanat%bugzilla.org 2013-02-19 17:33:12 +00:00
parent 0a81634be5
commit cfe160dd7e
4 changed files with 19 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mozilla/webtools/bugzilla/.bzrrev
View File

@ -1 +1 @@
8586 8587

14
mozilla/webtools/bugzilla/Bugzilla/Template.pm
View File

@ -96,12 +96,15 @@ sub get_format {
my $self = shift; my $self = shift;
my ($template, $format, $ctype) = @_; my ($template, $format, $ctype) = @_;
$ctype ||= 'html'; $ctype //= 'html';
$format ||= ''; $format //= '';
# Security - allow letters and a hyphen only # ctype and format can have letters and a hyphen only.
$ctype =~ s/[^a-zA-Z\-]//g; if ($ctype =~ /[^a-zA-Z\-]/ || $format =~ /[^a-zA-Z\-]/) {
$format =~ s/[^a-zA-Z\-]//g; ThrowUserError('format_not_found', {'format' => $format,
'ctype' => $ctype,
'invalid' => 1});
}
trick_taint($ctype); trick_taint($ctype);
trick_taint($format); trick_taint($format);
@ -127,6 +130,7 @@ sub get_format {
return return
{ {
'template' => $template, 'template' => $template,
'format' => $format,
'extension' => $ctype, 'extension' => $ctype,
'ctype' => Bugzilla::Constants::contenttypes->{$ctype} 'ctype' => Bugzilla::Constants::contenttypes->{$ctype}
}; };

11
mozilla/webtools/bugzilla/show_bug.cgi
View File

@ -22,9 +22,11 @@ my $vars = {};
my $user = Bugzilla->login(); my $user = Bugzilla->login();
my $format = $template->get_format("bug/show", scalar $cgi->param('format'),
scalar $cgi->param('ctype'));
# Editable, 'single' HTML bugs are treated slightly specially in a few places # Editable, 'single' HTML bugs are treated slightly specially in a few places
my $single = !$cgi->param('format') my $single = !$format->{format} && $format->{extension} eq 'html';
&& (!$cgi->param('ctype') || $cgi->param('ctype') eq 'html');
# If we don't have an ID, _AND_ we're only doing a single bug, then prompt # If we don't have an ID, _AND_ we're only doing a single bug, then prompt
if (!$cgi->param('id') && $single) { if (!$cgi->param('id') && $single) {
@ -34,9 +36,6 @@ if (!$cgi->param('id') && $single) {
exit; exit;
} }
my $format = $template->get_format("bug/show", scalar $cgi->param('format'),
scalar $cgi->param('ctype'));
my (@bugs, @illegal_bugs); my (@bugs, @illegal_bugs);
my %marks; my %marks;
@ -126,5 +125,5 @@ $vars->{'displayfields'} = \%displayfields;
print $cgi->header($format->{'ctype'}); print $cgi->header($format->{'ctype'});
$template->process("$format->{'template'}", $vars) $template->process($format->{'template'}, $vars)
|| ThrowTemplateError($template->error()); || ThrowTemplateError($template->error());

3
mozilla/webtools/bugzilla/template/en/default/global/user-error.html.tmpl
View File

@ -741,6 +741,9 @@
[% title = "Format Not Found" %] [% title = "Format Not Found" %]
The requested format <em>[% format FILTER html %]</em> does not exist with The requested format <em>[% format FILTER html %]</em> does not exist with
a content type of <em>[% ctype FILTER html %]</em>. a content type of <em>[% ctype FILTER html %]</em>.
[% IF invalid %]
Both parameters must contain letters and hyphens only.
[% END %]
[% ELSIF error == "flag_type_sortkey_invalid" %] [% ELSIF error == "flag_type_sortkey_invalid" %]
[% title = "Flag Type Sort Key Invalid" %] [% title = "Flag Type Sort Key Invalid" %]