diff options
| author |   Manish Goregaokar <manishearth@gmail.com> | 2014-04-17 18:30:14 +0200 |
|---|---|---|
| committer |   Frédéric Buclin <LpSolit@gmail.com> | 2014-04-17 18:30:14 +0200 |
| commit | d3d080ffe4e1d3ee1fd77512af9a9b1aea10177a (patch) | |
| tree | cd330a9b1066c052a62394fa6a298641a8d15f7c | |
| parent | Bug 713926: (CVE-2014-1517) [SECURITY] Login form lacks CSRF protection (diff) | |
| download | bugzilla-d3d080ffe4e1d3ee1fd77512af9a9b1aea10177a.tar.gz bugzilla-d3d080ffe4e1d3ee1fd77512af9a9b1aea10177a.tar.bz2 bugzilla-d3d080ffe4e1d3ee1fd77512af9a9b1aea10177a.zip | |
Bug 968576: [SECURITY] Dangerous control characters allowed in Bugzilla text
r=glob a=justdave
| -rw-r--r-- | Bugzilla/Template.pm | 11 | ||||
| -rw-r--r-- | Bugzilla/Util.pm | 4 | ||||
| -rw-r--r-- | template/en/default/email/bugmail.txt.tmpl | 2 | ||||
| -rw-r--r-- | template/en/default/email/flagmail.txt.tmpl | 2 |
4 files changed, 17 insertions, 2 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 44425edaa..ee610ff38 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -645,6 +645,17 @@ sub create { my ($data) = @_; return encode_base64($data); }, + + # Strips out control characters excepting whitespace + strip_control_chars => sub { + my ($data) = @_; + # Only run for utf8 to avoid issues with other multibyte encodings + # that may be reassigning meaning to ascii characters. + if (Bugzilla->params->{'utf8'}) { + $data =~ s/(?![\t\r\n])[[:cntrl:]]//g; + } + return $data; + }, # HTML collapses newlines in element attributes to a single space, # so form elements which may have whitespace (ie comments) need diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 15bd7e220..625fee963 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -68,6 +68,10 @@ sub html_quote { # Obscure '@'. $var =~ s/\@/\@/g; if (Bugzilla->params->{'utf8'}) { + # Remove control characters if the encoding is utf8. + # Other multibyte encodings may be using this range; so ignore if not utf8. + $var =~ s/(?![\t\r\n])[[:cntrl:]]//g; + # Remove the following characters because they're # influencing BiDi: # -------------------------------------------------------- diff --git a/template/en/default/email/bugmail.txt.tmpl b/template/en/default/email/bugmail.txt.tmpl index 999fab911..b3c652fcc 100644 --- a/template/en/default/email/bugmail.txt.tmpl +++ b/template/en/default/email/bugmail.txt.tmpl @@ -19,7 +19,7 @@ [%- IF comment.count %] --- Comment #[% comment.count %] from [% comment.author.identity %] --- [% END %] -[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) %] +[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) FILTER strip_control_chars %] [% END %] -- [%# Protect the trailing space of the signature marker %] diff --git a/template/en/default/email/flagmail.txt.tmpl b/template/en/default/email/flagmail.txt.tmpl index cdda8d677..169dfa892 100644 --- a/template/en/default/email/flagmail.txt.tmpl +++ b/template/en/default/email/flagmail.txt.tmpl @@ -68,7 +68,7 @@ Attachment [% attidsummary %] [%-# .defined is necessary to avoid a taint issue in Perl < 5.10.1, see bug 509794. %] [% IF Bugzilla.cgi.param("comment").defined && Bugzilla.cgi.param("comment").length > 0 %] ------- Additional Comments from [% user.identity %] -[%+ Bugzilla.cgi.param("comment") %] +[%+ Bugzilla.cgi.param("comment") FILTER strip_control_chars %] [% END %] [%- END %] |