Commit d3d080ff authored by Manish Goregaokar's avatar Manish Goregaokar Committed by Frédéric Buclin

Bug 968576: [SECURITY] Dangerous control characters allowed in Bugzilla text

r=glob a=justdave
parent 2f385c10
...@@ -646,6 +646,17 @@ sub create { ...@@ -646,6 +646,17 @@ sub create {
return encode_base64($data); return encode_base64($data);
}, },
# Strips out control characters excepting whitespace
strip_control_chars => sub {
my ($data) = @_;
# Only run for utf8 to avoid issues with other multibyte encodings
# that may be reassigning meaning to ascii characters.
if (Bugzilla->params->{'utf8'}) {
$data =~ s/(?![\t\r\n])[[:cntrl:]]//g;
}
return $data;
},
# HTML collapses newlines in element attributes to a single space, # HTML collapses newlines in element attributes to a single space,
# so form elements which may have whitespace (ie comments) need # so form elements which may have whitespace (ie comments) need
# to be encoded using 
 # to be encoded using 
......
...@@ -68,6 +68,10 @@ sub html_quote { ...@@ -68,6 +68,10 @@ sub html_quote {
# Obscure '@'. # Obscure '@'.
$var =~ s/\@/\@/g; $var =~ s/\@/\@/g;
if (Bugzilla->params->{'utf8'}) { if (Bugzilla->params->{'utf8'}) {
# Remove control characters if the encoding is utf8.
# Other multibyte encodings may be using this range; so ignore if not utf8.
$var =~ s/(?![\t\r\n])[[:cntrl:]]//g;
# Remove the following characters because they're # Remove the following characters because they're
# influencing BiDi: # influencing BiDi:
# -------------------------------------------------------- # --------------------------------------------------------
......
...@@ -19,7 +19,7 @@ ...@@ -19,7 +19,7 @@
[%- IF comment.count %] [%- IF comment.count %]
--- Comment #[% comment.count %] from [% comment.author.identity %] --- --- Comment #[% comment.count %] from [% comment.author.identity %] ---
[% END %] [% END %]
[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) %] [%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) FILTER strip_control_chars %]
[% END %] [% END %]
-- [%# Protect the trailing space of the signature marker %] -- [%# Protect the trailing space of the signature marker %]
......
...@@ -68,7 +68,7 @@ Attachment [% attidsummary %] ...@@ -68,7 +68,7 @@ Attachment [% attidsummary %]
[%-# .defined is necessary to avoid a taint issue in Perl < 5.10.1, see bug 509794. %] [%-# .defined is necessary to avoid a taint issue in Perl < 5.10.1, see bug 509794. %]
[% IF Bugzilla.cgi.param("comment").defined && Bugzilla.cgi.param("comment").length > 0 %] [% IF Bugzilla.cgi.param("comment").defined && Bugzilla.cgi.param("comment").length > 0 %]
------- Additional Comments from [% user.identity %] ------- Additional Comments from [% user.identity %]
[%+ Bugzilla.cgi.param("comment") %] [%+ Bugzilla.cgi.param("comment") FILTER strip_control_chars %]
[% END %] [% END %]
[%- END %] [%- END %]
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment