Fix for bug 87701: Invalid username in bug changes echoed back without escaping HTML data

Patch by Gervase Markham <gervase.markham@univ.ox.ac.uk> r= justdave@syndicomm.com

Fix for bug 87701: Invalid username in bug changes echoed back without escaping HTML data
f208e298 · justdave%syndicomm.com · a9ead7b9 · f208e298 · f208e298 · f208e298
Commit f208e298 authored Jul 04, 2001 by justdave%syndicomm.com
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 6 deletions

CGI.pl CGI.pl +6 -3

defparams.pl defparams.pl +3 -3

globals.pl globals.pl +1 -0

No files found.
--- a/CGI.pl
+++ b/CGI.pl
@@ -659,7 +659,7 @@ sub quietly_check_login() {
 sub CheckEmailSyntax {
    my ($addr) = (@_);
    my $match = Param('emailregexp');
-    if ($addr !~ /$match/) {
+    if ($addr !~ /$match/ || $addr =~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) {
        print "Content-type: text/html\n\n";

        # For security, escape HTML special characters.
@@ -669,8 +669,11 @@ sub CheckEmailSyntax {
        print "The e-mail address you entered\n";
        print "(<b>$addr</b>) didn't match our minimal\n";
        print "syntax checking for a legal email address.\n";
-        print Param('emailregexpdesc');
-        print "<p>Please click <b>back</b> and try again.\n";
+        print Param('emailregexpdesc') . "\n";
+        print "It must also not contain any of these special characters: " .
+              "<tt>\\ ( ) &amp; &lt; &gt; , ; : \" [ ]</tt> " .
+              "or any whitespace.\n";
+        print "<p>Please click <b>Back</b> and try again.\n";
        PutFooter();
        exit;
    }

--- a/defparams.pl
+++ b/defparams.pl
@@ -529,14 +529,14 @@ DefParam("expectbigqueries",
         0);

 DefParam("emailregexp",
-         'This defines the regexp to use for legal email addresses.  The default tries to match fully qualified email addresses.  Another popular value to put here is <tt>^[^@, ]*$</tt>, which means "local usernames, no @ allowed.',
+         'This defines the regexp to use for legal email addresses.  The default tries to match fully qualified email addresses.  Another popular value to put here is <tt>^[^@]*$</tt>, which means "local usernames, no @ allowed.',
         "t",
-         q:^[^@, ]*@[^@, ]*\\.[^@, ]*$:);
+         q:^[^@]*@[^@]*\\.[^@]*$:);

 DefParam("emailregexpdesc",
         "This describes in english words what kinds of legal addresses are allowed by the <tt>emailregexp</tt> param.",
         "l",
-         "A legal address must contain exactly one '\@', and at least one '.' after the \@, and may not contain any commas or spaces.");
+         "A legal address must contain exactly one '\@', and at least one '.' after the \@.");

 DefParam("emailsuffix",
         "This is a string to append to any email addresses when actually sending mail to that address.  It is useful if you have changed the <tt>emailregexp</tt> param to only allow local usernames, but you want the mail to be delivered to username\@my.local.hostname.",

--- a/globals.pl
+++ b/globals.pl
@@ -695,6 +695,7 @@ sub DBname_to_id {

 sub DBNameToIdAndCheck {
    my ($name, $forceok) = (@_);
+    $name = html_quote($name);
    my $result = DBname_to_id($name);
    if ($result > 0) {
        return $result;