From: Manish Goregaokar <manishearth@gmail.com>
Date: Thu, 17 Apr 2014 16:37:11 +0000 (+0200)
Subject: Bug 968576: [SECURITY] Dangerous control characters allowed in Bugzilla text
X-Git-Tag: bugzilla-4.2.8~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6066ff31980fddc2eb97b987c5bbd1a931495f1e;p=thirdparty%2Fbugzilla.git

Bug 968576: [SECURITY] Dangerous control characters allowed in Bugzilla text
r=glob a=justdave
---

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index cd7507963d..08999b27a7 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -672,6 +672,17 @@ sub create {
                 my ($data) = @_;
                 return encode_base64($data);
             },
+
+            # Strips out control characters excepting whitespace
+            strip_control_chars => sub {
+                my ($data) = @_;
+                # Only run for utf8 to avoid issues with other multibyte encodings 
+                # that may be reassigning meaning to ascii characters.
+                if (Bugzilla->params->{'utf8'}) {
+                    $data =~ s/(?![\t\r\n])[[:cntrl:]]//g;
+                }
+                return $data;
+            },
             
             # HTML collapses newlines in element attributes to a single space,
             # so form elements which may have whitespace (ie comments) need
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index c2dbdc97d5..48507ff9e7 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -91,6 +91,10 @@ sub html_quote {
     # Obscure '@'.
     $var =~ s/\@/\&#64;/g;
     if (Bugzilla->params->{'utf8'}) {
+        # Remove control characters if the encoding is utf8.
+        # Other multibyte encodings may be using this range; so ignore if not utf8.
+        $var =~ s/(?![\t\r\n])[[:cntrl:]]//g;
+
         # Remove the following characters because they're
         # influencing BiDi:
         # --------------------------------------------------------
diff --git a/template/en/default/email/bugmail.txt.tmpl b/template/en/default/email/bugmail.txt.tmpl
index 0b349fb156..a3a0b873c2 100644
--- a/template/en/default/email/bugmail.txt.tmpl
+++ b/template/en/default/email/bugmail.txt.tmpl
@@ -32,7 +32,7 @@
 [%- IF comment.count %]
 --- Comment #[% comment.count %] from [% comment.author.identity %] ---
 [% END %]
-[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) %]
+[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) FILTER strip_control_chars %]
 [% END %]
 
 -- [%# Protect the trailing space of the signature marker %]
diff --git a/template/en/default/request/email.txt.tmpl b/template/en/default/request/email.txt.tmpl
index fb957484b5..65946a1e19 100644
--- a/template/en/default/request/email.txt.tmpl
+++ b/template/en/default/request/email.txt.tmpl
@@ -84,7 +84,7 @@ Attachment [% attidsummary %]
 [%-# .defined is necessary to avoid a taint issue in Perl < 5.10.1, see bug 509794. %]
 [% IF Bugzilla.cgi.param("comment").defined && Bugzilla.cgi.param("comment").length > 0 %]
 ------- Additional Comments from [% user.identity %]
-[%+ Bugzilla.cgi.param("comment") %]
+[%+ Bugzilla.cgi.param("comment") FILTER strip_control_chars %]
 [% END %]
 
 [%- END %]