From ecaf3819ef8907f91134d61453f4e31e630c3c30 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Mon, 5 May 2008 05:05:48 +0000
Subject: [PATCH] =?utf8?q?Bug=20425665:=20[SECURITY]=20XSS=20in=20show=5Fb?=
 =?utf8?q?ug.cgi:=20id=20isn't=20filtered=20for=20format=3Dmultiple=20-=20?=
 =?utf8?q?Patch=20by=20Fr=C3=83=C2=A9d=C3=83=C2=A9ric=20Buclin=20<LpSolit@?=
 =?utf8?q?gmail.com>=20r=3Dmkanat=20r=3Dwurblzap=20a=3DLpSolit?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 show_bug.cgi                                    | 2 +-
 template/en/default/bug/show-multiple.html.tmpl | 6 +++---
 template/en/default/filterexceptions.pl         | 1 -
 3 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/show_bug.cgi b/show_bug.cgi
index 4e3aac982f..782293af5a 100755
--- a/show_bug.cgi
+++ b/show_bug.cgi
@@ -100,7 +100,7 @@ $vars->{'marks'} = \%marks;
 $vars->{'valid_keywords'} = [map($_->name, Bugzilla::Keyword->get_all)];
 $vars->{'use_keywords'} = 1 if Bugzilla::Keyword::keyword_count();
 
-my @bugids = map {$_->bug_id} @bugs;
+my @bugids = map {$_->bug_id} grep {!$_->error} @bugs;
 $vars->{'bugids'} = join(", ", @bugids);
 
 # Next bug in list (if there is one)
diff --git a/template/en/default/bug/show-multiple.html.tmpl b/template/en/default/bug/show-multiple.html.tmpl
index 2562903a60..1442cae4f8 100644
--- a/template/en/default/bug/show-multiple.html.tmpl
+++ b/template/en/default/bug/show-multiple.html.tmpl
@@ -36,12 +36,12 @@
   [% ids = [] %]
   [% FOREACH bug = bugs %]
     [% PROCESS bug_display %]
-    [% ids.push(bug.bug_id) %]
+    [% ids.push(bug.bug_id) UNLESS bug.error %]
   [% END %]
   [% IF ids.size > 1 %]
     <div class="bz_query_buttons">
       <form method="post" action="buglist.cgi">
-        <input type="hidden" name="bug_id" value="[% ids.join(",") FILTER none %]">
+        <input type="hidden" name="bug_id" value="[% ids.join(",") FILTER html %]">
         <input type="submit" id="short_format" value="Short Format">
       </form>
     </div>
@@ -63,7 +63,7 @@
 [% BLOCK bug_display %]
   <h1>
     [% terms.Bug %] 
-    <a href="show_bug.cgi?id=[% bug.bug_id %]">[% bug.bug_id %]</a>
+    <a href="show_bug.cgi?id=[% bug.bug_id FILTER html %]">[% bug.bug_id FILTER html %]</a>
     [% IF Param("usebugaliases") AND bug.alias AND NOT bug.error %]
       (<a href="show_bug.cgi?id=[% bug.alias FILTER url_quote %]">
         [% bug.alias FILTER html %]</a>)
diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl
index 2fb8b48e09..c25e400c3f 100644
--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -326,7 +326,6 @@
 ],
 
 'bug/show-multiple.html.tmpl' => [
-  'bug.bug_id', 
   'attachment.id', 
   'flag.status',
 ],
-- 
2.47.2