From ede2d35c22621ca7245562bed1152ebcfaca954b Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Fri, 30 Dec 2005 06:55:59 +0000
Subject: Bug 238780: editversions.cgi should reject newline characters - Patch
 by Paul <pdemarco@zoominternet.net> r=LpSolit a=justdave

---
 Bugzilla/Util.pm | 12 +++++++++++-
 editversions.cgi |  7 +++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 21885bbdc..31a1052e4 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -42,7 +42,7 @@ use base qw(Exporter);
                              format_time format_time_decimal validate_date
                              file_mod_time is_7bit_clean
                              bz_crypt generate_random_password
-                             validate_email_syntax);
+                             validate_email_syntax clean_text);
 
 use Bugzilla::Config;
 use Bugzilla::Constants;
@@ -390,6 +390,12 @@ sub is_7bit_clean {
     return $_[0] !~ /[^\x20-\x7E\x0A\x0D]/;
 }
 
+sub clean_text {
+    my ($dtext) = shift;
+    $dtext =~  s/[\x00-\x1F\x7F]/ /g;   # change control characters to spaces
+    return $dtext;
+}
+
 1;
 
 __END__
@@ -639,6 +645,10 @@ into the string.
 Returns true is the string contains only 7-bit characters (ASCII 32 through 126,
 ASCII 10 (LineFeed) and ASCII 13 (Carrage Return).
 
+=item C<clean_text($str)>
+Returns the parameter "cleaned" by exchanging non-printable characters with spaces.
+Specifically characters (ASCII 0 through 31) and (ASCII 127) will become ASCII 32 (Space).
+
 =back
 
 =head2 Formatting Time
diff --git a/editversions.cgi b/editversions.cgi
index 43816e6aa..be2c8a3c6 100755
--- a/editversions.cgi
+++ b/editversions.cgi
@@ -130,6 +130,9 @@ if ($action eq 'new') {
     # Cleanups and valididy checks
     $version_name || ThrowUserError('version_blank_name');
 
+    # Remove unprintable characters
+    $version_name = clean_text($version_name);
+
     my $version = new Bugzilla::Version($product->id, $version_name);
     if ($version) {
         ThrowUserError('version_already_exists',
@@ -242,6 +245,10 @@ if ($action eq 'edit') {
 if ($action eq 'update') {
 
     $version_name || ThrowUserError('version_not_specified');
+
+    # Remove unprintable characters
+    $version_name = clean_text($version_name);
+
     my $version_old_name = trim($cgi->param('versionold') || '');
     my $version_old =
         Bugzilla::Version::check_version($product,
-- 
cgit v1.2.1