Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid...

r=glob a=LpSolit

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index 153812e96f794e6bd5920970b5a99585b8453e97..5ddbb35e558d302d574aa1de0a0a0a2b335ba9eb 100644 (file)
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -128,6 +128,7 @@ sub get_format {
     return
     {
         'template'    => $template,
+        'format'      => $format,
         'extension'   => $ctype,
         'ctype'       => Bugzilla::Constants::contenttypes->{$ctype}
     };

diff --git a/show_bug.cgi b/show_bug.cgi
index 64d2e875fb3e66c033535c1ab6a770cd39008518..479c6bd6e74906ef69f1073f6cb9e132284a3e98 100755 (executable)
--- a/show_bug.cgi
+++ b/show_bug.cgi
@@ -37,9 +37,11 @@ my $vars = {};
 
 my $user = Bugzilla->login();
 
+my $format = $template->get_format("bug/show", scalar $cgi->param('format'),
+                                   scalar $cgi->param('ctype'));
+
 # Editable, 'single' HTML bugs are treated slightly specially in a few places
-my $single = !$cgi->param('format')
-  && (!$cgi->param('ctype') || $cgi->param('ctype') eq 'html');
+my $single = !$format->{format} && $format->{extension} eq 'html';
 
 # If we don't have an ID, _AND_ we're only doing a single bug, then prompt
 if (!$cgi->param('id') && $single) {
@@ -49,9 +51,6 @@ if (!$cgi->param('id') && $single) {
     exit;
 }
 
-my $format = $template->get_format("bug/show", scalar $cgi->param('format'), 
-                                   scalar $cgi->param('ctype'));
-
 my @bugs = ();
 my %marks;
 
@@ -125,5 +124,5 @@ $vars->{'displayfields'} = \%displayfields;
 
 print $cgi->header($format->{'ctype'});
 
-$template->process("$format->{'template'}", $vars)
+$template->process($format->{'template'}, $vars)
   || ThrowTemplateError($template->error());