aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2016-05-16 20:23:43 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2016-05-16 20:23:43 +0200
commit0cc1797afa063761ab7e547bf805b4cb85accb78 (patch)
tree35eabfae15cc8c7aa229b8e1be4072dcc38c2542
parent16dd96bdfdadea63e182f0954f06c187cb83e75b (diff)
downloadbugs-0cc1797afa063761ab7e547bf805b4cb85accb78.tar
bugs-0cc1797afa063761ab7e547bf805b4cb85accb78.tar.gz
bugs-0cc1797afa063761ab7e547bf805b4cb85accb78.tar.bz2
bugs-0cc1797afa063761ab7e547bf805b4cb85accb78.tar.xz
bugs-0cc1797afa063761ab7e547bf805b4cb85accb78.zip
Bug 1253263 - (CVE-2016-2803) [SECURITY] XSS vulnerability in dependency graphs via bug summary
r/a=dkl
-rwxr-xr-xshowdependencygraph.cgi8
1 files changed, 7 insertions, 1 deletions
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index 6d4cb1e71..7b2d2f55d 100755
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -55,13 +55,19 @@ sub CreateImagemap {
$default = qq{<area alt="" shape="default" href="$1">\n};
}
- if ($line =~ /^rectangle \((.*),(.*)\) \((.*),(.*)\) (http[^ ]*) (\d+)(\\n.*)?$/) {
+ if ($line =~ /^rectangle \((\d+),(\d+)\) \((\d+),(\d+)\) (http[^ ]*) (\d+)(?:\\n.*)?$/) {
my ($leftx, $rightx, $topy, $bottomy, $url, $bugid) = ($1, $3, $2, $4, $5, $6);
# Pick up bugid from the mapdata label field. Getting the title from
# bugtitle hash instead of mapdata allows us to get the summary even
# when showsummary is off, and also gives us status and resolution.
+ # This text is safe; it has already been escaped.
my $bugtitle = $bugtitles{$bugid};
+
+ # The URL is supposed to be safe, because it's built manually.
+ # But in case someone manages to inject code, it's safer to escape it.
+ $url = html_quote($url);
+
$map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } .
qq{title="$bugtitle" href="$url" } .
qq{coords="$leftx,$topy,$rightx,$bottomy">\n};