Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when...

diff --git a/docs/rel_notes.txt b/docs/rel_notes.txt
index 3d34b223b69d509644123289f177ba1a637daf8b..bfe5cb27408b54c5b1f6f9ab8d8003374899d72b 100644 (file)
--- a/docs/rel_notes.txt
+++ b/docs/rel_notes.txt
@@ -712,10 +712,9 @@ No security fixes in this release.
 2.20.3
 ------
 
-The Bugzilla team fixed two Information Leaks and two Cross-Site
+The Bugzilla team fixed two Information Leaks and three Cross-Site
 Scripting vulnerabilities that existed in versions of Bugzilla
-prior to 2.20.3. None of them are considered to be of critical
-severity, but we still strongly recommend that you update any
+prior to 2.20.3. We still strongly recommend that you update any
 2.20.x installation to 2.20.3.
 
 To see details on the vulnerabilities that were fixed, see the

diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index 5fc794e9b2a6f632f75297b0061d7677723335ac..2f99b16c82be57424af9ccef2ab8788b01bd0502 100755 (executable)
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -278,7 +278,9 @@ foreach my $f (@files)
     }
 }
 
-$vars->{'bug_id'} = $cgi->param('id');
+# Make sure we only include valid integers (protects us from XSS attacks).
+my @bugs = grep(detaint_natural($_), split(/[\s,]+/, $cgi->param('id')));
+$vars->{'bug_id'} = join(', ', @bugs);
 $vars->{'multiple_bugs'} = ($cgi->param('id') =~ /[ ,]/);
 $vars->{'doall'} = $cgi->param('doall');
 $vars->{'rankdir'} = $rankdir;