1057875 - reports.cgi can't handle whitespace in bug status

Status: NEW

(Bugzilla :: Reporting/Charting, defect)

Description

[Marcus von Appen]

User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140804192227

Steps to reproduce:

If a bug status with whitespace (e.g. "Approval Needed") is used in a bugzilla installation, selecting the dataset in reports.cgi (Old Charts) will result in an "Invalid datasets Approval Needed. Only digits, letters and colons are allowed." error.

1) Create a bug status "Approval Needed"
2) execute collectstats.pl to update the datasets
3) Select Reports -> Old charts
4) Select "Approval Needed" from the Chart datasets
5) Click Continue


Actual results:

The error message "Invalid datasets Approval Needed. Only digits, letters and colons are allowed." occurs


Expected results:

A chart should be printed. As it seems, the regexp in reports.cgi, line 84ff

if (grep { $_ !~ /^[A-Za-z0-9:_-]+$/ } @datasets) {
        ThrowUserError('invalid_datasets', {'datasets' => \@datasets});
}

does not permit whitespace. This should be changed.

Comment 1

[Frédéric Buclin]

Confirmed. The security checks for old charts should be refactored a bit. The regexp you mention in your comment 0 also doesn't understand Unicode characters. It was written well before admins were allowed to customize the bug statuses and resolutions. One of the reasons nobody paid attention to this is because bug 232113 suggests to kill old charts entirely.

Comment 2

[Marcus von Appen]

After some investigation of bug 419014, which introduced the limitation, I assume that this won't cause a security risk, since bug 419014 tackled a different issue with guessing URLS and accessing chart information. Since those are (somewhat) fixed, allowing whitespace characters in the form

if (grep { $_ !~ /^[A-Za-z0-9:_-\s]+$/ } @datasets) {
        ThrowUserError('invalid_datasets', {'datasets' => \@datasets});
}

should not be a problem, not?