Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when...

diff --git a/docs/rel_notes.txt b/docs/rel_notes.txt
index f70c508a4a012ddc1cd2aff96ce6bba47a5b4a45..98ddc4da8e62d6fc8d002ebaaa99c0b3a2352d53 100644 (file)
--- a/docs/rel_notes.txt
+++ b/docs/rel_notes.txt
@@ -577,11 +577,10 @@ every login cookie Bugzilla has ever given out.)
 Version 2.22.1
 --------------
 
-The Bugzilla team fixed two Information Leaks and two Cross-Site
+The Bugzilla team fixed two Information Leaks and three Cross-Site
 Scripting vulnerabilities that existed in versions of Bugzilla
-prior to 2.22.1. None of them are considered to be of critical
-severity, but we still strongly recommend that you update any
-2.22 installation to 2.22.1.
+prior to 2.22.1. We strongly recommend that you update any 2.22 
+installation to 2.22.1, to be protected from these vulnerabilities.
 
 In addition, we have made an enhancement to security in this version
 of Bugzilla. In previous versions, it was possible for malicious

diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index e97af975bdee3914da5e7aa5d178058dca163c9e..d2d18dd5480b0a44febeebf1bd8599cf4df4af3b 100755 (executable)
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -278,7 +278,9 @@ foreach my $f (@files)
     }
 }
 
-$vars->{'bug_id'} = $cgi->param('id');
+# Make sure we only include valid integers (protects us from XSS attacks).
+my @bugs = grep(detaint_natural($_), split(/[\s,]+/, $cgi->param('id')));
+$vars->{'bug_id'} = join(', ', @bugs);
 $vars->{'multiple_bugs'} = ($cgi->param('id') =~ /[ ,]/);
 $vars->{'doall'} = $cgi->param('doall');
 $vars->{'rankdir'} = $rankdir;