Bug 101380: Newlines, nulls, leading/trailing spaces are getting into summaries

Patch by Paul <pdemarco@zoominternet.net> and Colin Ogilvie <colin.ogilvie@gmail.com>; r/a=justdave

diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 3374d2c115b9a802feb4c0d49ce8520cca5b64fb..9d5f40ffb6bc97add1b1762d0498efe72205569b 100644 (file)
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -39,7 +39,7 @@ use base qw(Exporter);
                              trim wrap_comment find_wrap_point
                              format_time format_time_decimal
                              file_mod_time
-                             bz_crypt);
+                             bz_crypt clean_text);
 
 use Bugzilla::Config;
 use Bugzilla::Error;
@@ -359,6 +359,12 @@ sub ValidateDate {
     } 
 }
 
+sub clean_text {
+    my ($dtext) = shift;
+    $dtext =~ s/[\x00-\x1F\x7F]+/ /g;   # change control characters to a space
+    return trim($dtext);
+}
+
 1;
 
 __END__
@@ -611,6 +617,10 @@ Takes a string and returns a C<crypt>ed value for it, using a random salt.
 Please always use this function instead of the built-in perl "crypt"
 when initially encrypting a password.
 
+=item C<clean_text($str)>
+Returns the parameter "cleaned" by exchanging non-printable characters with a space.
+Specifically characters (ASCII 0 through 31) and (ASCII 127) will become ASCII 32 (Space).
+
 =begin undocumented
 
 Random salts are generated because the alternative is usually

diff --git a/checksetup.pl b/checksetup.pl
index 4d38c35533c79f14f0e56081b378ea66e74559c2..2cf33249daf7ddbe5734919eca15a075324386b0 100755 (executable)
--- a/checksetup.pl
+++ b/checksetup.pl
@@ -4168,6 +4168,25 @@ if (@$broken_nonopen_series) {
     print " done.\n";
 }
 
+# Fixup for Bug 101380
+# "Newlines, nulls, leading/trailing spaces are getting into summaries"
+
+my $controlchar_bugs =
+    $dbh->selectall_arrayref("SELECT short_desc, bug_id FROM bugs WHERE " .
+                             "'short_desc' " . $dbh->sql_regexp . 
+                             " '[[:cntrl:]]'");
+if (@$controlchar_bugs)
+{
+    print 'Cleaning control characters from bug summaries...';
+    foreach (@$controlchar_bugs) {
+        my ($short_desc, $bug_id) = @$_;
+        print " $bug_id...";
+        $short_desc = clean_text($short_desc);
+        $dbh->do("UPDATE bugs SET short_desc = ? WHERE bug_id = ?",
+                 undef, $short_desc, $bug_id);
+    }
+    print " done.\n";
+}
 
 # If you had to change the --TABLE-- definition in any way, then add your
 # differential change code *** A B O V E *** this comment.

diff --git a/post_bug.cgi b/post_bug.cgi
index bd0f73e16f3d0cd8cc3bf30bb33fad2f6545703c..0277229d2fbc1af92e94adcb73d92f0066298f6d 100755 (executable)
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -110,8 +110,11 @@ my $component_id = get_component_id($product_id,
                                     scalar($cgi->param('component')));
 $component_id || ThrowUserError("require_component");
 
+# Set the parameter to itself, but cleaned up
+$cgi->param('short_desc', clean_text($cgi->param('short_desc')));
+
 if (!defined $cgi->param('short_desc')
-    || trim($cgi->param('short_desc')) eq "") {
+    || $cgi->param('short_desc') eq "") {
     ThrowUserError("require_summary");
 }
 

diff --git a/process_bug.cgi b/process_bug.cgi
index 7d84bfee6543bc025d911e6e839a8c94ebc0b5e1..49c4216ee6592035e3e45fe4317976c10ffad2e5 100755 (executable)
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -610,6 +610,7 @@ if (defined $cgi->param('id')) {
     CheckFormFieldDefined($cgi, 'bug_file_loc');
     CheckFormFieldDefined($cgi, 'short_desc');
     CheckFormFieldDefined($cgi, 'longdesclength');
+    $cgi->param('short_desc', clean_text($cgi->param('short_desc')));
 
     if (trim($cgi->param('short_desc')) eq "") {
         ThrowUserError("require_summary");