Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when…

Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when "doall" is set - Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit a=justdave

Bug 355728: [SECURITY] XSS in the "id" parameter of showdependencygraph.cgi when…
ef822794 · lpsolit%gmail.com · 79b57226 · ef822794 · ef822794
Commit ef822794 authored Oct 15, 2006 by lpsolit%gmail.com
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 5 deletions

rel_notes.txt docs/rel_notes.txt +3 -4

showdependencygraph.cgi showdependencygraph.cgi +3 -1

No files found.
--- a/docs/rel_notes.txt
+++ b/docs/rel_notes.txt
@@ -577,11 +577,10 @@ every login cookie Bugzilla has ever given out.)
 Version 2.22.1
 --------------

-The Bugzilla team fixed two Information Leaks and two Cross-Site
+The Bugzilla team fixed two Information Leaks and three Cross-Site
 Scripting vulnerabilities that existed in versions of Bugzilla
-prior to 2.22.1. None of them are considered to be of critical
-severity, but we still strongly recommend that you update any
-2.22 installation to 2.22.1.
+prior to 2.22.1. We strongly recommend that you update any 2.22 
+installation to 2.22.1, to be protected from these vulnerabilities.

 In addition, we have made an enhancement to security in this version
 of Bugzilla. In previous versions, it was possible for malicious

--- a/showdependencygraph.cgi
+++ b/showdependencygraph.cgi
@@ -276,7 +276,9 @@ foreach my $f (@files)
    }
 }

-$vars->{'bug_id'} = $cgi->param('id');
+# Make sure we only include valid integers (protects us from XSS attacks).
+my @bugs = grep(detaint_natural($_), split(/[\s,]+/, $cgi->param('id')));
+$vars->{'bug_id'} = join(', ', @bugs);
 $vars->{'multiple_bugs'} = ($cgi->param('id') =~ /[ ,]/);
 $vars->{'doall'} = $cgi->param('doall');
 $vars->{'rankdir'} = $rankdir;