From: Reed Loden <reed@reedloden.com>
Date: Mon, 24 Jan 2011 18:15:04 +0000 (-0800)
Subject: Bug 621572: (CVE-2010-4572) [SECURITY] chart.cgi vulnerable to header-injection due... 
X-Git-Tag: bugzilla-3.4.10~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=777d754f30dfc0c70806f8e8aa2808dfd5818b9a;p=thirdparty%2Fbugzilla.git

Bug 621572: (CVE-2010-4572) [SECURITY] chart.cgi vulnerable to header-injection due to use of |print "Location:"| instead of $cgi->redirect
[r=mkanat a=LpSolit]
---

diff --git a/chart.cgi b/chart.cgi
index 61745ab779..e8e9271953 100755
--- a/chart.cgi
+++ b/chart.cgi
@@ -65,8 +65,8 @@ local our $vars = {};
 # Go back to query.cgi if we are adding a boolean chart parameter.
 if (grep(/^cmd-/, $cgi->param())) {
     my $params = $cgi->canonicalise_query("format", "ctype", "action");
-    print "Location: query.cgi?format=" . $cgi->param('query_format') .
-                                          ($params ? "&$params" : "") . "\n\n";
+    print $cgi->redirect("query.cgi?format=" . $cgi->param('query_format') .
+                                               ($params ? "&$params" : ""));
     exit;
 }
 
@@ -89,7 +89,7 @@ $action ||= "assemble";
 # Go to buglist.cgi if we are doing a search.
 if ($action eq "search") {
     my $params = $cgi->canonicalise_query("format", "ctype", "action");
-    print "Location: buglist.cgi" . ($params ? "?$params" : "") . "\n\n";
+    print $cgi->redirect("buglist.cgi" . ($params ? "?$params" : ""));
     exit;
 }