Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when...

diff --git a/docs/rel_notes.txt b/docs/rel_notes.txt
index 7805b3c99e83845ca6c54b50ecf1ad77fa3f72ed..175b4321616668fc1a2abe05d1d700547b3130ad 100644 (file)
--- a/docs/rel_notes.txt
+++ b/docs/rel_notes.txt
@@ -729,11 +729,11 @@ http://www.bugzilla.org/security/2.18.4/
 Version 2.18.6
 --------------
 
-The Bugzilla team fixed three security flaws that existed in 
+The Bugzilla team fixed four security flaws that existed in
 versions of Bugzilla prior to this one. They were cross-site
-scripting and information leak flaws. None of them were of
-critical severity, though we still strongly recommend that you
-update any 2.18.x installation to at least 2.18.6, to be safe. 
+scripting and information leak flaws. We strongly recommend that you
+update any 2.18.x installation to at least 2.18.6, to be safe.
+
 You can see details at:
 
 http://www.bugzilla.org/security/2.18.5/

diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index 2b029bf7e59cca7d9612644dbddf4fe9e1ee71df..a3181c5761e83edcca796c6b1f839d970872bcd9 100755 (executable)
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -276,7 +276,9 @@ foreach my $f (@files)
     }
 }
 
-$vars->{'bug_id'} = $cgi->param('id');
+# Make sure we only include valid integers (protects us from XSS attacks).
+my @bugs = grep(detaint_natural($_), split(/[\s,]+/, $cgi->param('id')));
+$vars->{'bug_id'} = join(', ', @bugs);
 $vars->{'multiple_bugs'} = ($cgi->param('id') =~ /[ ,]/);
 $vars->{'doall'} = $cgi->param('doall');
 $vars->{'rankdir'} = $rankdir;