From f208e298e2ac9836c8138449a0691f6deb850c4a Mon Sep 17 00:00:00 2001 From: "justdave%syndicomm.com" <> Date: Wed, 4 Jul 2001 14:05:59 +0000 Subject: Fix for bug 87701: Invalid username in bug changes echoed back without escaping HTML data Patch by Gervase Markham r= justdave@syndicomm.com --- CGI.pl | 9 ++++++--- defparams.pl | 6 +++--- globals.pl | 1 + 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/CGI.pl b/CGI.pl index 09ab23c07..d7782f7e8 100644 --- a/CGI.pl +++ b/CGI.pl @@ -659,7 +659,7 @@ sub quietly_check_login() { sub CheckEmailSyntax { my ($addr) = (@_); my $match = Param('emailregexp'); - if ($addr !~ /$match/) { + if ($addr !~ /$match/ || $addr =~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) { print "Content-type: text/html\n\n"; # For security, escape HTML special characters. @@ -669,8 +669,11 @@ sub CheckEmailSyntax { print "The e-mail address you entered\n"; print "($addr) didn't match our minimal\n"; print "syntax checking for a legal email address.\n"; - print Param('emailregexpdesc'); - print "

Please click back and try again.\n"; + print Param('emailregexpdesc') . "\n"; + print "It must also not contain any of these special characters: " . + "\\ ( ) & < > , ; : \" [ ] " . + "or any whitespace.\n"; + print "

Please click Back and try again.\n"; PutFooter(); exit; } diff --git a/defparams.pl b/defparams.pl index 1b99751bc..0bb47d59f 100644 --- a/defparams.pl +++ b/defparams.pl @@ -529,14 +529,14 @@ DefParam("expectbigqueries", 0); DefParam("emailregexp", - 'This defines the regexp to use for legal email addresses. The default tries to match fully qualified email addresses. Another popular value to put here is ^[^@, ]*$, which means "local usernames, no @ allowed.', + 'This defines the regexp to use for legal email addresses. The default tries to match fully qualified email addresses. Another popular value to put here is ^[^@]*$, which means "local usernames, no @ allowed.', "t", - q:^[^@, ]*@[^@, ]*\\.[^@, ]*$:); + q:^[^@]*@[^@]*\\.[^@]*$:); DefParam("emailregexpdesc", "This describes in english words what kinds of legal addresses are allowed by the emailregexp param.", "l", - "A legal address must contain exactly one '\@', and at least one '.' after the \@, and may not contain any commas or spaces."); + "A legal address must contain exactly one '\@', and at least one '.' after the \@."); DefParam("emailsuffix", "This is a string to append to any email addresses when actually sending mail to that address. It is useful if you have changed the emailregexp param to only allow local usernames, but you want the mail to be delivered to username\@my.local.hostname.", diff --git a/globals.pl b/globals.pl index 81efb4745..736cb431a 100644 --- a/globals.pl +++ b/globals.pl @@ -695,6 +695,7 @@ sub DBname_to_id { sub DBNameToIdAndCheck { my ($name, $forceok) = (@_); + $name = html_quote($name); my $result = DBname_to_id($name); if ($result > 0) { return $result; -- cgit v1.2.1