From: lpsolit%gmail.com <>
Date: Sun, 15 Oct 2006 04:32:36 +0000 (+0000)
Subject: Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when... 
X-Git-Tag: bugzilla-2.18.6~2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d5c346483abcb22e3d6ab8d24336433205b4902b;p=thirdparty%2Fbugzilla.git

Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when "doall" is set - Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit a=justdave
---

diff --git a/docs/rel_notes.txt b/docs/rel_notes.txt
index 7805b3c99e..175b432161 100644
--- a/docs/rel_notes.txt
+++ b/docs/rel_notes.txt
@@ -729,11 +729,11 @@ http://www.bugzilla.org/security/2.18.4/
 Version 2.18.6
 --------------
 
-The Bugzilla team fixed three security flaws that existed in 
+The Bugzilla team fixed four security flaws that existed in
 versions of Bugzilla prior to this one. They were cross-site
-scripting and information leak flaws. None of them were of
-critical severity, though we still strongly recommend that you
-update any 2.18.x installation to at least 2.18.6, to be safe. 
+scripting and information leak flaws. We strongly recommend that you
+update any 2.18.x installation to at least 2.18.6, to be safe.
+
 You can see details at:
 
 http://www.bugzilla.org/security/2.18.5/
diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index 2b029bf7e5..a3181c5761 100755
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -276,7 +276,9 @@ foreach my $f (@files)
     }
 }
 
-$vars->{'bug_id'} = $cgi->param('id');
+# Make sure we only include valid integers (protects us from XSS attacks).
+my @bugs = grep(detaint_natural($_), split(/[\s,]+/, $cgi->param('id')));
+$vars->{'bug_id'} = join(', ', @bugs);
 $vars->{'multiple_bugs'} = ($cgi->param('id') =~ /[ ,]/);
 $vars->{'doall'} = $cgi->param('doall');
 $vars->{'rankdir'} = $rankdir;