Bug 600464: (CVE-2010-3172) [SECURITY] Content/Header injection due to non-random...

author Byron Jones <glob@glob.com.au>

Tue, 2 Nov 2010 23:21:42 +0000 (00:21 +0100)

committer Frédéric Buclin <LpSolit@gmail.com>

Tue, 2 Nov 2010 23:21:42 +0000 (00:21 +0100)
author Byron Jones <glob@glob.com.au>
Tue, 2 Nov 2010 23:21:42 +0000 (00:21 +0100)
committer Frédéric Buclin <LpSolit@gmail.com>
Tue, 2 Nov 2010 23:21:42 +0000 (00:21 +0100)
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm

index eec5df3745f4b5dc7c190ae808e1f27abb6b0bbe..01880994695170b4a9e4358b3d18f171ca2d4acb 100644 (file)
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -221,7 +221,8 @@ sub multipart_init {
      }
  
      # Set the MIME boundary and content-type
-    my $boundary = $param{'-boundary'} || '------- =_aaaaaaaaaa0';
+    my $boundary = $param{'-boundary'}
+        || '------- =_' . generate_random_password(16);
      delete $param{'-boundary'};
      $self->{'separator'} = "\r\n--$boundary\r\n";
      $self->{'final_separator'} = "\r\n--$boundary--\r\n";
author	Byron Jones <glob@glob.com.au>
	Tue, 2 Nov 2010 23:21:42 +0000 (00:21 +0100)
committer	Frédéric Buclin <LpSolit@gmail.com>
	Tue, 2 Nov 2010 23:21:42 +0000 (00:21 +0100)