Bug 600464: (CVE-2010-3172) [SECURITY] Content/Header injection due to non-random...

r=mkanat a=LpSolit

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 6b6009517052d435e4bec0ab08eed1a5fd8cf3af..1dfca0a60401532f128ad08db9539d90a8bbb15d 100644 (file)
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -225,7 +225,8 @@ sub multipart_init {
     }
 
     # Set the MIME boundary and content-type
-    my $boundary = $param{'-boundary'} || '------- =_aaaaaaaaaa0';
+    my $boundary = $param{'-boundary'}
+        || '------- =_' . generate_random_password(16);
     delete $param{'-boundary'};
     $self->{'separator'} = "\r\n--$boundary\r\n";
     $self->{'final_separator'} = "\r\n--$boundary--\r\n";