diff options
| author |   Frédéric Buclin <LpSolit@gmail.com> | 2013-02-19 18:26:26 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-02-19 18:26:26 +0100 |
| commit | 46e6c1c542075692fd137823c81507c5d299a6b9 (patch) | |
| tree | 779f4d2ff17548b2a41d8863977bb58fde1a3b59 /show_bug.cgi | |
| parent | Bug 824399: (CVE-2013-0786) [SECURITY] build_subselect() leaks the existence ... (diff) | |
| download | bugzilla-46e6c1c542075692fd137823c81507c5d299a6b9.tar.gz bugzilla-46e6c1c542075692fd137823c81507c5d299a6b9.tar.bz2 bugzilla-46e6c1c542075692fd137823c81507c5d299a6b9.zip | |
Bug 842038: (CVE-2013-0785) [SECURITY] XSS in show_bug.cgi when using an invalid page format
r=glob a=LpSolit
Diffstat (limited to 'show_bug.cgi')
| -rwxr-xr-x | show_bug.cgi | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/show_bug.cgi b/show_bug.cgi index 10d35956d..846cf64d5 100755 --- a/show_bug.cgi +++ b/show_bug.cgi @@ -22,9 +22,11 @@ my $vars = {}; my $user = Bugzilla->login(); +my $format = $template->get_format("bug/show", scalar $cgi->param('format'), + scalar $cgi->param('ctype')); + # Editable, 'single' HTML bugs are treated slightly specially in a few places -my $single = !$cgi->param('format') - && (!$cgi->param('ctype') || $cgi->param('ctype') eq 'html'); +my $single = !$format->{format} && $format->{extension} eq 'html'; # If we don't have an ID, _AND_ we're only doing a single bug, then prompt if (!$cgi->param('id') && $single) { @@ -34,9 +36,6 @@ if (!$cgi->param('id') && $single) { exit; } -my $format = $template->get_format("bug/show", scalar $cgi->param('format'), - scalar $cgi->param('ctype')); - my (@bugs, @illegal_bugs); my %marks; @@ -126,5 +125,5 @@ $vars->{'displayfields'} = \%displayfields; print $cgi->header($format->{'ctype'}); -$template->process("$format->{'template'}", $vars) +$template->process($format->{'template'}, $vars) || ThrowTemplateError($template->error()); |