From: Frédéric Buclin <LpSolit@gmail.com>
Date: Mon, 16 May 2016 18:24:46 +0000 (+0200)
Subject: Bug 1253263 - (CVE-2016-2803) [SECURITY] XSS vulnerability in dependency graphs via... 
X-Git-Tag: bugzilla-4.4.12~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5d47f29f0e30a4c46a39e4f9a9e2b00a435b1908;p=thirdparty%2Fbugzilla.git

Bug 1253263 - (CVE-2016-2803) [SECURITY] XSS vulnerability in dependency graphs via bug summary
r/a=dkl
---

diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi
index 00fd2061a7..4a451c1049 100755
--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -52,13 +52,19 @@ sub CreateImagemap {
             $default = qq{<area alt="" shape="default" href="$1">\n};
         }
 
-        if ($line =~ /^rectangle \((.*),(.*)\) \((.*),(.*)\) (http[^ ]*) (\d+)(\\n.*)?$/) {
+        if ($line =~ /^rectangle \((\d+),(\d+)\) \((\d+),(\d+)\) (http[^ ]*) (\d+)(?:\\n.*)?$/) {
             my ($leftx, $rightx, $topy, $bottomy, $url, $bugid) = ($1, $3, $2, $4, $5, $6);
 
             # Pick up bugid from the mapdata label field. Getting the title from
             # bugtitle hash instead of mapdata allows us to get the summary even
             # when showsummary is off, and also gives us status and resolution.
+            # This text is safe; it has already been escaped.
             my $bugtitle = $bugtitles{$bugid};
+
+            # The URL is supposed to be safe, because it's built manually.
+            # But in case someone manages to inject code, it's safer to escape it.
+            $url = html_quote($url);
+
             $map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } .
                     qq{title="$bugtitle" href="$url" } .
                     qq{coords="$leftx,$topy,$rightx,$bottomy">\n};