Prevent cross-site image requests from leaking contents of certain fields due to regex search
Categories
(Bugzilla :: Reporting/Charting, defect)
Tracking
()
People
(Reporter: hofusec, Assigned: dylan)
References
Details
(4 keywords, Whiteboard: [reporter-external] [web-bounty-form] [verif?])
Attachments
(4 files, 15 obsolete files)
37.02 KB,
image/png
|
Details | |
4.80 KB,
patch
|
dkl
:
review+
|
Details | Diff | Splinter Review |
3.60 KB,
patch
|
jfearn
:
review+
|
Details | Diff | Splinter Review |
3.54 KB,
patch
|
Details | Diff | Splinter Review |
Reporter | ||
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
Comment 3•7 years ago
|
||
Comment 4•7 years ago
|
||
Updated•7 years ago
|
Comment 5•7 years ago
|
||
Updated•7 years ago
|
Assignee | ||
Updated•7 years ago
|
Comment 6•7 years ago
|
||
Assignee | ||
Comment 7•7 years ago
|
||
Updated•7 years ago
|
Assignee | ||
Comment 8•7 years ago
|
||
Updated•7 years ago
|
Assignee | ||
Comment 10•7 years ago
|
||
Assignee | ||
Comment 11•7 years ago
|
||
Assignee | ||
Comment 12•7 years ago
|
||
Assignee | ||
Comment 13•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Comment 14•7 years ago
|
||
Updated•7 years ago
|
Assignee | ||
Comment 15•7 years ago
|
||
Assignee | ||
Comment 16•7 years ago
|
||
Assignee | ||
Comment 17•7 years ago
|
||
Assignee | ||
Comment 18•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 19•7 years ago
|
||
Comment 20•7 years ago
|
||
Comment 21•7 years ago
|
||
Comment 22•7 years ago
|
||
Comment 23•7 years ago
|
||
Assignee | ||
Comment 24•7 years ago
|
||
Comment 25•7 years ago
|
||
Assignee | ||
Comment 26•7 years ago
|
||
Assignee | ||
Comment 27•7 years ago
|
||
Comment 28•7 years ago
|
||
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 29•7 years ago
|
||
Assignee | ||
Comment 30•7 years ago
|
||
Assignee | ||
Comment 31•7 years ago
|
||
Assignee | ||
Comment 32•7 years ago
|
||
Assignee | ||
Comment 33•7 years ago
|
||
Assignee | ||
Comment 34•7 years ago
|
||
Assignee | ||
Comment 35•7 years ago
|
||
Comment 36•7 years ago
|
||
Comment 37•7 years ago
|
||
Assignee | ||
Comment 38•7 years ago
|
||
Assignee | ||
Comment 39•7 years ago
|
||
Comment 40•7 years ago
|
||
Comment 42•7 years ago
|
||
Assignee | ||
Comment 43•7 years ago
|
||
Assignee | ||
Comment 44•7 years ago
|
||
Updated•7 years ago
|
Comment 46•7 years ago
|
||
Comment 47•7 years ago
|
||
Assignee | ||
Comment 48•7 years ago
|
||
Comment 49•7 years ago
|
||
Comment 50•7 years ago
|
||
Comment 51•6 years ago
|
||
Hello,
Looks like this fix is prevent to update Bugzilla from version 4.4.12 to 4.4.13. Problem with: ^ (*COMMIT)
patch -p1 < bugzilla-4.4.12-to-4.4.13-nodocs.diff
patching file Bugzilla/CGI.pm
patching file Bugzilla/Constants.pm
patching file Bugzilla/DB/Sqlite.pm
patching file attachment.cgi
patching file taskgraph.json
patching file template/en/default/pages/release-notes.html.tmpl
./checksetup.pl
- This is Bugzilla 4.4.13 on perl 5.8.8
- Running on Linux 2.6.18-xenU-ec2-v1.0 #2 SMP Tue Feb 19 10:51:53 EST 2008
Checking perl modules...
Checking for CGI.pm (v3.51) ok: found v4.21
Checking for Digest-SHA (any) ok: found v5.95
Checking for TimeDate (v2.23) ok: found v2.24
Checking for DateTime (v0.28) ok: found v1.20
Checking for DateTime-TimeZone (v0.71) ok: found v1.93
Checking for DBI (v1.54) ok: found v1.634
Checking for Template-Toolkit (v2.22) ok: found v2.22
Checking for Email-Send (v2.04) ok: found v2.198
Checking for Email-MIME (v1.904) ok: found v1.936
Checking for URI (v1.37) ok: found v1.69
Checking for List-MoreUtils (v0.32) ok: found v0.413
Checking for Math-Random-ISAAC (v1.0.1) ok: found v1.004
Checking available perl DBD modules...
Checking for DBD-Pg (v2.7.0) not found
Checking for DBD-mysql (v4.001) ok: found v4.032
Checking for DBD-SQLite (v1.29) not found
Checking for DBD-Oracle (v1.19) not found
The following Perl modules are optional:
Checking for GD (v1.20) ok: found v2.45
Checking for Chart (v2.1.0) ok: found v2.4.1
Checking for Template-GD (any) ok: found v1.56
Checking for GDTextUtil (any) ok: found v0.86
Checking for GDGraph (any) ok: found v1.44
Checking for MIME-tools (v5.406) ok: found v5.427
Checking for libwww-perl (any) ok: found v5.834
Checking for XML-Twig (any) not found
Checking for PatchReader (v0.9.6) ok: found v0.9.6
Checking for perl-ldap (any) ok: found v0.39
Checking for Authen-SASL (any) ok: found v2.10
Checking for Net-SMTP-SSL (v1.01) ok: found v1.01
Checking for RadiusPerl (any) not found
Checking for SOAP-Lite (v0.712) ok: found v1.11
Checking for XMLRPC-Lite (v0.712) not found
Checking for JSON-RPC (any) not found
Checking for JSON-XS (v2.0) not found
Checking for Test-Taint (any) ok: found v1.06
Checking for HTML-Parser (v3.40) ok: found v3.71
Checking for HTML-Scrubber (any) ok: found v0.08
Checking for Encode (v2.21) ok: found v2.78
Checking for Encode-Detect (any) not found
Checking for Email-Reply (any) ok: found v1.202
Checking for HTML-FormatText-WithLinks (v0.13) not found
Checking for TheSchwartz (v1.07) not found
Checking for Daemon-Generic (any) not found
Checking for File-Slurp (v9999.13) not found
Checking for mod_perl (v1.999022) ok: found v2.000005
Checking for Apache-SizeLimit (v0.96) not found
Checking for File-MimeInfo (any) not found
Checking for IO-stringy (any) ok: found v2.110
Checking for mod_headers (any) ok
Checking for mod_expires (any) ok
Checking for mod_env (any) ok
- OPTIONAL MODULES *
- Certain Perl modules are not required by Bugzilla, but by *
- installing the latest version you gain access to additional *
- features. *
-
*
- The optional modules you do not have installed are listed below, *
- with the name of the feature they enable. Below that table are the *
- commands to install each module. *
-
MODULE NAME * ENABLES FEATURE(S) *
-
XML-Twig * Move Bugs Between Installations, Automatic Update Notifications *
-
RadiusPerl * RADIUS Authentication *
-
XMLRPC-Lite * XML-RPC Interface *
-
JSON-RPC * JSON-RPC Interface *
-
JSON-XS * Make JSON-RPC Faster *
-
Encode-Detect * Automatic charset detection for text attachments *
- HTML-FormatText-WithLinks * Inbound Email *
-
TheSchwartz * Mail Queueing *
-
Daemon-Generic * Mail Queueing *
-
File-Slurp * Mail Queueing *
-
Apache-SizeLimit * mod_perl *
-
File-MimeInfo * Sniff MIME type of attachments *
COMMANDS TO INSTALL OPTIONAL MODULES:
XML-Twig: /usr/bin/perl install-module.pl XML::Twig
RadiusPerl: /usr/bin/perl install-module.pl Authen::Radius
XMLRPC-Lite: /usr/bin/perl install-module.pl XMLRPC::Lite
JSON-RPC: /usr/bin/perl install-module.pl JSON::RPC
JSON-XS: /usr/bin/perl install-module.pl JSON::XS
Encode-Detect: /usr/bin/perl install-module.pl Encode::Detect
HTML-FormatText-WithLinks: /usr/bin/perl install-module.pl HTML::FormatText::WithLinks
TheSchwartz: /usr/bin/perl install-module.pl TheSchwartz
Daemon-Generic: /usr/bin/perl install-module.pl Daemon::Generic
File-Slurp: /usr/bin/perl install-module.pl File::Slurp
Apache-SizeLimit: /usr/bin/perl install-module.pl Apache2::SizeLimit
File-MimeInfo: /usr/bin/perl install-module.pl File::MimeInfo::Magic
To attempt an automatic install of every required and optional module
with one command, do:
/usr/bin/perl install-module.pl --all
Quantifier follows nothing in regex; marked by <-- HERE in m/
^ (* <-- HERE COMMIT) # COMMIT makes the regex faster
# by preventing back-tracking. see also perldoc pelre.
# application/x-javascript, xml, atom+xml, rdf+xml, xml-dtd, and json
(?: application/ (?: x(?: -javascript | ml (?: -dtd )? )
| (?: atom | rdf) + xml
| json )
# text/csv, text/calendar, text/plain, and text/html
| text/ (?: c (?: alendar | sv )
| plain
| html )
# used for HTTP push responses
| multipart/x-mixed-replace)
/ at Bugzilla/CGI.pm line 306, <DATA> line 275.
Compilation failed in require at Bugzilla.pm line 25, <DATA> line 275.
BEGIN failed--compilation aborted at Bugzilla.pm line 25, <DATA> line 275.
Compilation failed in require at ./checksetup.pl line 73, <DATA> line 275.
Updated•6 months ago
|
Description
•