Bug 238780: editversions.cgi should reject newline characters (and convert them…

Bugzilla/Util.pm

@@ -42,7 +42,7 @@ use base qw(Exporter);
                              format_time format_time_decimal validate_date
                              file_mod_time is_7bit_clean
                              bz_crypt generate_random_password
-                             validate_email_syntax);
+                             validate_email_syntax clean_text);
 
 use Bugzilla::Config;
 use Bugzilla::Constants;
@@ -390,6 +390,12 @@ sub is_7bit_clean {
     return $_[0] !~ /[^\x20-\x7E\x0A\x0D]/;
 }
 
+sub clean_text {
+    my ($dtext) = shift;
+    $dtext =~  s/[\x00-\x1F\x7F]/ /g;   # change control characters to spaces
+    return $dtext;
+}
+
 1;
 
 __END__
@@ -639,6 +645,10 @@ into the string.
 Returns true is the string contains only 7-bit characters (ASCII 32 through 126,
 ASCII 10 (LineFeed) and ASCII 13 (Carrage Return).
 
+=item C<clean_text($str)>
+Returns the parameter "cleaned" by exchanging non-printable characters with spaces.
+Specifically characters (ASCII 0 through 31) and (ASCII 127) will become ASCII 32 (Space).
+
 =back
 
 =head2 Formatting Time

editversions.cgi

@@ -128,6 +128,9 @@ if ($action eq 'new') {
     # Cleanups and valididy checks
     $version_name || ThrowUserError('version_blank_name');
 
+    # Remove unprintable characters
+    $version_name = clean_text($version_name);
+
     my $version = new Bugzilla::Version($product->id, $version_name);
     if ($version) {
         ThrowUserError('version_already_exists',
@@ -240,6 +243,10 @@ if ($action eq 'edit') {
 if ($action eq 'update') {
 
     $version_name || ThrowUserError('version_not_specified');
+
+    # Remove unprintable characters
+    $version_name = clean_text($version_name);
+
     my $version_old_name = trim($cgi->param('versionold') || '');
     my $version_old =
         Bugzilla::Version::check_version($product,