From: justdave%syndicomm.com <>
Date: Wed, 4 Jul 2001 14:05:59 +0000 (+0000)
Subject: Fix for bug 87701: Invalid username in bug changes echoed back without escaping HTML... 
X-Git-Tag: bugzilla-2.14~59
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f208e298e2ac9836c8138449a0691f6deb850c4a;p=thirdparty%2Fbugzilla.git

Fix for bug 87701: Invalid username in bug changes echoed back without escaping HTML data
Patch by Gervase Markham <gervase.markham@univ.ox.ac.uk>
r= justdave@syndicomm.com
---

diff --git a/CGI.pl b/CGI.pl
index 09ab23c076..d7782f7e84 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -659,7 +659,7 @@ sub quietly_check_login() {
 sub CheckEmailSyntax {
     my ($addr) = (@_);
     my $match = Param('emailregexp');
-    if ($addr !~ /$match/) {
+    if ($addr !~ /$match/ || $addr =~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) {
         print "Content-type: text/html\n\n";
 
         # For security, escape HTML special characters.
@@ -669,8 +669,11 @@ sub CheckEmailSyntax {
         print "The e-mail address you entered\n";
         print "(<b>$addr</b>) didn't match our minimal\n";
         print "syntax checking for a legal email address.\n";
-        print Param('emailregexpdesc');
-        print "<p>Please click <b>back</b> and try again.\n";
+        print Param('emailregexpdesc') . "\n";
+        print "It must also not contain any of these special characters: " .
+              "<tt>\\ ( ) &amp; &lt; &gt; , ; : \" [ ]</tt> " .
+              "or any whitespace.\n";
+        print "<p>Please click <b>Back</b> and try again.\n";
         PutFooter();
         exit;
     }
diff --git a/defparams.pl b/defparams.pl
index 1b99751bcb..0bb47d59f1 100644
--- a/defparams.pl
+++ b/defparams.pl
@@ -529,14 +529,14 @@ DefParam("expectbigqueries",
          0);
 
 DefParam("emailregexp",
-         'This defines the regexp to use for legal email addresses.  The default tries to match fully qualified email addresses.  Another popular value to put here is <tt>^[^@, ]*$</tt>, which means "local usernames, no @ allowed.',
+         'This defines the regexp to use for legal email addresses.  The default tries to match fully qualified email addresses.  Another popular value to put here is <tt>^[^@]*$</tt>, which means "local usernames, no @ allowed.',
          "t",
-         q:^[^@, ]*@[^@, ]*\\.[^@, ]*$:);
+         q:^[^@]*@[^@]*\\.[^@]*$:);
 
 DefParam("emailregexpdesc",
          "This describes in english words what kinds of legal addresses are allowed by the <tt>emailregexp</tt> param.",
          "l",
-         "A legal address must contain exactly one '\@', and at least one '.' after the \@, and may not contain any commas or spaces.");
+         "A legal address must contain exactly one '\@', and at least one '.' after the \@.");
 
 DefParam("emailsuffix",
          "This is a string to append to any email addresses when actually sending mail to that address.  It is useful if you have changed the <tt>emailregexp</tt> param to only allow local usernames, but you want the mail to be delivered to username\@my.local.hostname.",
diff --git a/globals.pl b/globals.pl
index 81efb4745c..736cb431ae 100644
--- a/globals.pl
+++ b/globals.pl
@@ -695,6 +695,7 @@ sub DBname_to_id {
 
 sub DBNameToIdAndCheck {
     my ($name, $forceok) = (@_);
+    $name = html_quote($name);
     my $result = DBname_to_id($name);
     if ($result > 0) {
         return $result;