From: Frédéric Buclin Date: Tue, 19 Feb 2013 17:30:33 +0000 (+0100) Subject: Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid... X-Git-Tag: bugzilla-3.6.13~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0dfe1f909dd4e7ec5593f3bfc1b237f87b40532e;p=thirdparty%2Fbugzilla.git Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format r=glob a=LpSolit --- diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 153812e96f..5ddbb35e55 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -128,6 +128,7 @@ sub get_format { return { 'template' => $template, + 'format' => $format, 'extension' => $ctype, 'ctype' => Bugzilla::Constants::contenttypes->{$ctype} }; diff --git a/show_bug.cgi b/show_bug.cgi index 64d2e875fb..479c6bd6e7 100755 --- a/show_bug.cgi +++ b/show_bug.cgi @@ -37,9 +37,11 @@ my $vars = {}; my $user = Bugzilla->login(); +my $format = $template->get_format("bug/show", scalar $cgi->param('format'), + scalar $cgi->param('ctype')); + # Editable, 'single' HTML bugs are treated slightly specially in a few places -my $single = !$cgi->param('format') - && (!$cgi->param('ctype') || $cgi->param('ctype') eq 'html'); +my $single = !$format->{format} && $format->{extension} eq 'html'; # If we don't have an ID, _AND_ we're only doing a single bug, then prompt if (!$cgi->param('id') && $single) { @@ -49,9 +51,6 @@ if (!$cgi->param('id') && $single) { exit; } -my $format = $template->get_format("bug/show", scalar $cgi->param('format'), - scalar $cgi->param('ctype')); - my @bugs = (); my %marks; @@ -125,5 +124,5 @@ $vars->{'displayfields'} = \%displayfields; print $cgi->header($format->{'ctype'}); -$template->process("$format->{'template'}", $vars) +$template->process($format->{'template'}, $vars) || ThrowTemplateError($template->error());