aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2015-12-22 18:58:16 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2015-12-22 18:58:16 +0100
commitdc076edefa70576ee6de4511311a1926a56b79fa (patch)
treebbf4a43862ec163e8059addfc410d05a2f987cc1
parent396ae88235ef68ed45978dfb36774c5fe9a2d699 (diff)
downloadbugs-dc076edefa70576ee6de4511311a1926a56b79fa.tar
bugs-dc076edefa70576ee6de4511311a1926a56b79fa.tar.gz
bugs-dc076edefa70576ee6de4511311a1926a56b79fa.tar.bz2
bugs-dc076edefa70576ee6de4511311a1926a56b79fa.tar.xz
bugs-dc076edefa70576ee6de4511311a1926a56b79fa.zip
Bug 1221518: (CVE-2015-8508) [SECURITY] XSS in dependency graphs when displaying the bug summary
r=gerv a=dkl
-rwxr-xr-xshowdependencygraph.cgi13
1 files changed, 8 insertions, 5 deletions
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index e3e54c4d8..476df1e8e 100755
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -61,7 +61,7 @@ sub CreateImagemap {
# Pick up bugid from the mapdata label field. Getting the title from
# bugtitle hash instead of mapdata allows us to get the summary even
# when showsummary is off, and also gives us status and resolution.
- my $bugtitle = html_quote(clean_text($bugtitles{$bugid}));
+ my $bugtitle = $bugtitles{$bugid};
$map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } .
qq{title="$bugtitle" href="$url" } .
qq{coords="$leftx,$topy,$rightx,$bottomy">\n};
@@ -180,13 +180,16 @@ foreach my $k (@bug_ids) {
# Retrieve bug information from the database
my ($stat, $resolution, $summary) = $dbh->selectrow_array($sth, undef, $k);
- # Resolution and summary are shown only if user can see the bug
- if (!$user->can_see_bug($k)) {
+ $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id'));
+
+ # The bug summary is shown only if the user can see the bug.
+ if ($user->can_see_bug($k)) {
+ $summary = html_quote(clean_text($summary));
+ }
+ else {
$summary = '';
}
- $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id'));
-
my @params;
if ($summary ne "" && $cgi->param('showsummary')) {