diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2015-12-22 18:58:16 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2015-12-22 18:58:16 +0100 |
commit | dc076edefa70576ee6de4511311a1926a56b79fa (patch) | |
tree | bbf4a43862ec163e8059addfc410d05a2f987cc1 | |
parent | 396ae88235ef68ed45978dfb36774c5fe9a2d699 (diff) | |
download | bugs-dc076edefa70576ee6de4511311a1926a56b79fa.tar bugs-dc076edefa70576ee6de4511311a1926a56b79fa.tar.gz bugs-dc076edefa70576ee6de4511311a1926a56b79fa.tar.bz2 bugs-dc076edefa70576ee6de4511311a1926a56b79fa.tar.xz bugs-dc076edefa70576ee6de4511311a1926a56b79fa.zip |
Bug 1221518: (CVE-2015-8508) [SECURITY] XSS in dependency graphs when displaying the bug summary
r=gerv a=dkl
-rwxr-xr-x | showdependencygraph.cgi | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index e3e54c4d8..476df1e8e 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -61,7 +61,7 @@ sub CreateImagemap { # Pick up bugid from the mapdata label field. Getting the title from # bugtitle hash instead of mapdata allows us to get the summary even # when showsummary is off, and also gives us status and resolution. - my $bugtitle = html_quote(clean_text($bugtitles{$bugid})); + my $bugtitle = $bugtitles{$bugid}; $map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } . qq{title="$bugtitle" href="$url" } . qq{coords="$leftx,$topy,$rightx,$bottomy">\n}; @@ -180,13 +180,16 @@ foreach my $k (@bug_ids) { # Retrieve bug information from the database my ($stat, $resolution, $summary) = $dbh->selectrow_array($sth, undef, $k); - # Resolution and summary are shown only if user can see the bug - if (!$user->can_see_bug($k)) { + $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id')); + + # The bug summary is shown only if the user can see the bug. + if ($user->can_see_bug($k)) { + $summary = html_quote(clean_text($summary)); + } + else { $summary = ''; } - $vars->{'short_desc'} = $summary if ($k eq $cgi->param('id')); - my @params; if ($summary ne "" && $cgi->param('showsummary')) { |