From: lpsolit%gmail.com <> Date: Sun, 15 Oct 2006 04:30:45 +0000 (+0000) Subject: Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when... X-Git-Tag: bugzilla-2.20.3~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=822fa6fbf922407d666b49299a20151206dd4601;p=thirdparty%2Fbugzilla.git Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when "doall" is set - Patch by Max Kanat-Alexander r=LpSolit a=justdave --- diff --git a/docs/rel_notes.txt b/docs/rel_notes.txt index 3d34b223b6..bfe5cb2740 100644 --- a/docs/rel_notes.txt +++ b/docs/rel_notes.txt @@ -712,10 +712,9 @@ No security fixes in this release. 2.20.3 ------ -The Bugzilla team fixed two Information Leaks and two Cross-Site +The Bugzilla team fixed two Information Leaks and three Cross-Site Scripting vulnerabilities that existed in versions of Bugzilla -prior to 2.20.3. None of them are considered to be of critical -severity, but we still strongly recommend that you update any +prior to 2.20.3. We still strongly recommend that you update any 2.20.x installation to 2.20.3. To see details on the vulnerabilities that were fixed, see the diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index 5fc794e9b2..2f99b16c82 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -278,7 +278,9 @@ foreach my $f (@files) } } -$vars->{'bug_id'} = $cgi->param('id'); +# Make sure we only include valid integers (protects us from XSS attacks). +my @bugs = grep(detaint_natural($_), split(/[\s,]+/, $cgi->param('id'))); +$vars->{'bug_id'} = join(', ', @bugs); $vars->{'multiple_bugs'} = ($cgi->param('id') =~ /[ ,]/); $vars->{'doall'} = $cgi->param('doall'); $vars->{'rankdir'} = $rankdir;