Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format

r=glob a=LpSolit git-svn-id: svn://10.0.0.236/branches/BUGZILLA-3_6-BRANCH@264770 18797224-902f-48f8-a5cc-f745e15eee43
2013-02-19 17:33:12 +00:00 · 2013-02-19 17:33:12 +00:00 · d9e31bb969
commit d9e31bb969
parent 99d67a5552
3 changed files with 7 additions and 7 deletions
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@ -1 +1 @@
-7310
+7311
--- a/mozilla/webtools/bugzilla/Bugzilla/Template.pm
+++ b/mozilla/webtools/bugzilla/Bugzilla/Template.pm
@ -128,6 +128,7 @@ sub get_format {
    return
    {
        'template'    => $template,
+        'format'      => $format,
        'extension'   => $ctype,
        'ctype'       => Bugzilla::Constants::contenttypes->{$ctype}
    };
--- a/mozilla/webtools/bugzilla/show_bug.cgi
+++ b/mozilla/webtools/bugzilla/show_bug.cgi
@ -37,9 +37,11 @@ my $vars = {};

 my $user = Bugzilla->login();

+my $format = $template->get_format("bug/show", scalar $cgi->param('format'),
+                                   scalar $cgi->param('ctype'));
+
 # Editable, 'single' HTML bugs are treated slightly specially in a few places
-my $single = !$cgi->param('format')
-  && (!$cgi->param('ctype') || $cgi->param('ctype') eq 'html');
+my $single = !$format->{format} && $format->{extension} eq 'html';

 # If we don't have an ID, _AND_ we're only doing a single bug, then prompt
 if (!$cgi->param('id') && $single) {
@ -49,9 +51,6 @@ if (!$cgi->param('id') && $single) {
    exit;
 }

-my $format = $template->get_format("bug/show", scalar $cgi->param('format'), 
-                                   scalar $cgi->param('ctype'));
-
 my @bugs = ();
 my %marks;

@ -125,5 +124,5 @@ $vars->{'displayfields'} = \%displayfields;

 print $cgi->header($format->{'ctype'});

-$template->process("$format->{'template'}", $vars)
+$template->process($format->{'template'}, $vars)
  || ThrowTemplateError($template->error());