Fix for bug 87701: Invalid username in bug changes echoed back without escaping HTML...

Patch by Gervase Markham <gervase.markham@univ.ox.ac.uk>
r= justdave@syndicomm.com

diff --git a/CGI.pl b/CGI.pl
index 09ab23c076b441c41ab88ec6a04435eb3de0023f..d7782f7e845bf15db53d2a2b258b87e46005d892 100644 (file)
--- a/CGI.pl
+++ b/CGI.pl
@@ -659,7 +659,7 @@ sub quietly_check_login() {
 sub CheckEmailSyntax {
     my ($addr) = (@_);
     my $match = Param('emailregexp');
-    if ($addr !~ /$match/) {
+    if ($addr !~ /$match/ || $addr =~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) {
         print "Content-type: text/html\n\n";
 
         # For security, escape HTML special characters.
@@ -669,8 +669,11 @@ sub CheckEmailSyntax {
         print "The e-mail address you entered\n";
         print "(<b>$addr</b>) didn't match our minimal\n";
         print "syntax checking for a legal email address.\n";
-        print Param('emailregexpdesc');
-        print "<p>Please click <b>back</b> and try again.\n";
+        print Param('emailregexpdesc') . "\n";
+        print "It must also not contain any of these special characters: " .
+              "<tt>\\ ( ) &amp; &lt; &gt; , ; : \" [ ]</tt> " .
+              "or any whitespace.\n";
+        print "<p>Please click <b>Back</b> and try again.\n";
         PutFooter();
         exit;
     }

diff --git a/defparams.pl b/defparams.pl
index 1b99751bcbe63f279d2cdfaadb167e2f8d84e410..0bb47d59f125cb3be97db04a045202ab86e48945 100644 (file)
--- a/defparams.pl
+++ b/defparams.pl
@@ -529,14 +529,14 @@ DefParam("expectbigqueries",
          0);
 
 DefParam("emailregexp",
-         'This defines the regexp to use for legal email addresses.  The default tries to match fully qualified email addresses.  Another popular value to put here is <tt>^[^@, ]*$</tt>, which means "local usernames, no @ allowed.',
+         'This defines the regexp to use for legal email addresses.  The default tries to match fully qualified email addresses.  Another popular value to put here is <tt>^[^@]*$</tt>, which means "local usernames, no @ allowed.',
          "t",
-         q:^[^@, ]*@[^@, ]*\\.[^@, ]*$:);
+         q:^[^@]*@[^@]*\\.[^@]*$:);
 
 DefParam("emailregexpdesc",
          "This describes in english words what kinds of legal addresses are allowed by the <tt>emailregexp</tt> param.",
          "l",
-         "A legal address must contain exactly one '\@', and at least one '.' after the \@, and may not contain any commas or spaces.");
+         "A legal address must contain exactly one '\@', and at least one '.' after the \@.");
 
 DefParam("emailsuffix",
          "This is a string to append to any email addresses when actually sending mail to that address.  It is useful if you have changed the <tt>emailregexp</tt> param to only allow local usernames, but you want the mail to be delivered to username\@my.local.hostname.",

diff --git a/globals.pl b/globals.pl
index 81efb4745caa7a257d2435f2f71f10820fb5ae3b..736cb431ae07ae88f6ad351a3196fab9357d2b4e 100644 (file)
--- a/globals.pl
+++ b/globals.pl
@@ -695,6 +695,7 @@ sub DBname_to_id {
 
 sub DBNameToIdAndCheck {
     my ($name, $forceok) = (@_);
+    $name = html_quote($name);
     my $result = DBname_to_id($name);
     if ($result > 0) {
         return $result;