Closed
Bug 38855
Opened 24 years ago
Closed 23 years ago
showvotes.cgi needs to escape (untrusted) url params
Categories
(Bugzilla :: Bugzilla-General, defect, P3)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.14
People
(Reporter: jruderman, Assigned: myk)
References
()
Details
(Whiteboard: security)
Attachments
(2 files)
3.28 KB,
patch
|
Details | Diff | Splinter Review | |
3.51 KB,
patch
|
Details | Diff | Splinter Review |
No description provided.
Updated•23 years ago
|
Whiteboard: 2.14
Comment 1•23 years ago
|
||
moving to real milestones...
Whiteboard: 2.14
Target Milestone: --- → Bugzilla 2.14
Assignee | ||
Updated•23 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 3•23 years ago
|
||
Comment 4•23 years ago
|
||
What about a subroutine ErrorExit(Title, ErrMsg) for these lines: + print "Content-type: text/html\n\n"; + PutHeader($Title); + print "<p>$ErrMsg<p>\n"; + PutFooter(); + exit; This could be useful elsewhere, too...
Comment 5•23 years ago
|
||
I'm not sure that it needs to validate the bug number/UID against the database... I think it'd probably be enough that it made sure it was a number. But I suppose taking the validation the next step does allow for better error messages, and it does only validate the one that "matters". So, all in all, I'd say r=jake
Assignee | ||
Comment 7•23 years ago
|
||
Assignee | ||
Comment 8•23 years ago
|
||
Jake, could you re-review my new patch?
Comment 9•23 years ago
|
||
Using the Param("errorhtml")... nice touch :) r=jake
Comment 10•23 years ago
|
||
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 11•23 years ago
|
||
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Reporter | ||
Updated•21 years ago
|
Whiteboard: security
Updated•11 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•