From: Max Kanat-Alexander <mkanat@bugzilla.org>
Date: Mon, 8 Feb 2010 23:51:51 +0000 (-0800)
Subject: Bug 544990: Allow directory names in page.cgi ids
X-Git-Tag: bugzilla-3.6rc1~57
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c2234fa7e58bba545ce27a2784f073741a297732;p=thirdparty%2Fbugzilla.git

Bug 544990: Allow directory names in page.cgi ids
r=LpSolit, a=mkanat
---

diff --git a/page.cgi b/page.cgi
index cd6cb611ec..9326229a5d 100755
--- a/page.cgi
+++ b/page.cgi
@@ -66,9 +66,9 @@ my $template = Bugzilla->template;
 
 my $id = $cgi->param('id');
 if ($id) {
-    # Remove all dodgy chars, and split into name and ctype.
-    $id =~ s/[^\w\-\.]//g;
-    $id =~ /(.*)\.(.*)/;
+    # Split into name and ctype, but be careful not to allow directory
+    # traversal.
+    $id =~ /^([\w\-\/]+)\.(\w+)$/;
     if (!$2) {
         # if this regexp fails to match completely, something bad came in
         ThrowCodeError("bad_page_cgi_id", { "page_id" => $id });