Bug 1232785 - [SECURITY] Buglists in CSV format can be parsed as valid javascript...

author Dylan Hardison <dylan@mozilla.com>

Tue, 22 Dec 2015 18:34:38 +0000 (13:34 -0500)

committer Dylan Hardison <dylan@mozilla.com>

Tue, 22 Dec 2015 18:36:39 +0000 (13:36 -0500)
author Dylan Hardison <dylan@mozilla.com>
Tue, 22 Dec 2015 18:34:38 +0000 (13:34 -0500)
committer Dylan Hardison <dylan@mozilla.com>
Tue, 22 Dec 2015 18:36:39 +0000 (13:36 -0500)
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm

index 72d899c4d700c524b883b55cb11fc697b8f225df..cfcbc665547d0e3fb259675a871b79301b62474d 100644 (file)
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -719,6 +719,9 @@ sub create {
              {
                  my ($var) = @_;
                  $var = ' ' . $var if substr($var, 0, 1) eq '=';
+                # backslash is not special to CSV, but it can be used to confuse some browsers...
+                # so we do not allow it to happen. We only do this for logged-in users.
+                $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id;
                  $var =~ s/\"/\"\"/g;
                  if ($var !~ /^-?(\d+\.)?\d*$/) {
                      $var = "\"$var\"";
author	Dylan Hardison <dylan@mozilla.com>
	Tue, 22 Dec 2015 18:34:38 +0000 (13:34 -0500)
committer	Dylan Hardison <dylan@mozilla.com>
	Tue, 22 Dec 2015 18:36:39 +0000 (13:36 -0500)