Closed Bug 38854 Opened 24 years ago Closed 23 years ago

reports.cgi needs to escape (untrusted) url params

Categories

(Bugzilla :: Bugzilla-General, defect, P3)

Other
Other
defect

Tracking

()

RESOLVED FIXED
Bugzilla 2.14

People

(Reporter: jruderman, Assigned: myk)

References

()

Details

(Whiteboard: security)

Attachments

(3 files)

note that reports.cgi has several output modes, so this needs to be fixed for 
all modes.
Blocks: 38852
Whiteboard: 2.14
moving to real milestones...
Whiteboard: 2.14
Target Milestone: --- → Bugzilla 2.14
-> myk, cuz I have a patch for this
Assignee: tara → myk
Status: NEW → ASSIGNED
Keywords: patch
My biggest problem w/this patch is that if the product is defined, you don't get
the header (because of line 80).  Also, the footers are suppressed.  I realize
that this is mostly by design (the $FORM{'banner'} variable), but I think that
error messages could ignore that flag.

Of course, in theory, these messages should never be seen ;)
The patch I just attached reorganizes the code in reports.cgi so headers and
footers display correctly on errors and removes some crufty error checking code
that is no longer necessary.

I added a function to CGI.pl called "DisplayError" that uses the "errorhtml"
parameter to display validation errors.  It works a lot like PuntTryAgain but it
prints HTTP response and HTML headers, and it doesn't stop execution after it
prints the message in order to make the calling code easier to understand, since:

DisplayError("blah") && exit;

    is a lot more descriptive than:

DisplayError("blah");

Code looks good... I ran a few simple reports (on my 7 bugs ;) and everything
worked.  Tested passing the param mentioned in the URL and got the error...

r=jake
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Whiteboard: security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.