From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 9 Aug 2011 23:59:30 +0000 (+0200)
Subject: Bug 677187: If the attachment filename contains a newline, an error is thrown when... 
X-Git-Tag: bugzilla-4.0.3~33
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6417319375358c0a5ae67c8b9ea1f87342c5059b;p=thirdparty%2Fbugzilla.git

Bug 677187: If the attachment filename contains a newline, an error is thrown when trying to download the attachment
r=mkanat a=LpSolit
---

diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm
index c111e046a9..b8e6003bb1 100644
--- a/Bugzilla/Attachment.pm
+++ b/Bugzilla/Attachment.pm
@@ -536,9 +536,13 @@ sub _check_content_type {
     }
 
     $content_type = 'text/plain' if ($is_url || $is_patch);
-    $content_type = trim($content_type);
+    $content_type = clean_text($content_type);
+    # The subsets below cover all existing MIME types and charsets registered by IANA.
+    # (MIME type: RFC 2045 section 5.1; charset: RFC 2278 section 3.3)
     my $legal_types = join('|', LEGAL_CONTENT_TYPES);
-    if (!$content_type or $content_type !~ /^($legal_types)\/.+$/) {
+    if (!$content_type
+        || $content_type !~ /^($legal_types)\/[a-z0-9_\-\+\.]+(;.+)?$/i)
+    {
         ThrowUserError("invalid_content_type", { contenttype => $content_type });
     }
     trick_taint($content_type);
@@ -615,7 +619,7 @@ sub _check_filename {
     # No file is attached, so it has no name.
     return '' if $is_url;
 
-    $filename = trim($filename);
+    $filename = clean_text($filename);
     $filename || ThrowUserError('file_not_specified');
 
     # Remove path info (if any) from the file name.  The browser should do this
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 423d0df3e9..f3b233f8df 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -916,8 +916,9 @@
     [% title = "Invalid Content-Type" %]
     The content type <em>[% contenttype FILTER html %]</em> is invalid.
     Valid types must be of the form <em>foo/bar</em> where <em>foo</em>
-    is one of <em>[% constants.LEGAL_CONTENT_TYPES.join(', ') FILTER html %]</em>.
-    
+    is one of <em>[% constants.LEGAL_CONTENT_TYPES.join(', ') FILTER html %]</em>
+    and <em>bar</em> must not contain any special characters (such as "=", "?", ...).
+
   [% ELSIF error == "invalid_context" %]
     [% title = "Invalid Context" %]
     The context [% context FILTER html %] is invalid (must be a number,