$rankdir should be validated in showdependencygraph.cgi

RESOLVED FIXED in Bugzilla 2.22

Status

()

Bugzilla
Creating/Changing Bugs
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

2.23
Bugzilla 2.22
Bug Flags:
approval +
blocking3.0 -
approval2.22 +

Details

Attachments

(2 attachments)

(Assignee)

Description

12 years ago
Valid values are LR and TB only. Currently, showdependencygraph.cgi let you inject any code in the generated .dot file.  No idea if you can do any harm with it, though.
(Assignee)

Comment 1

12 years ago
Note that you can easily fill the error log of your web server injecting invalid data.
Flags: blocking3.0?

Comment 2

12 years ago
This isn't a blocker unless we can prove it does other damage than printing warnings. However, we still definitely should fix it.
Flags: blocking3.0? → blocking3.0-
(Assignee)

Comment 3

12 years ago
Created attachment 242924 [details] [diff] [review]
patch for tip, v1
Assignee: create-and-change → LpSolit
Status: NEW → ASSIGNED
Attachment #242924 - Flags: review?(mkanat)
(Assignee)

Comment 4

12 years ago
Created attachment 242926 [details] [diff] [review]
patch for 2.22.1, v1

Better safe than sorry. Let's check this param on 2.22 too.
Attachment #242926 - Flags: review?(mkanat)
(Assignee)

Updated

12 years ago
Target Milestone: Bugzilla 3.0 → Bugzilla 2.22

Comment 5

12 years ago
Comment on attachment 242924 [details] [diff] [review]
patch for tip, v1

r=bkor by inspection
Attachment #242924 - Flags: review?(mkanat) → review+

Comment 6

12 years ago
Comment on attachment 242926 [details] [diff] [review]
patch for 2.22.1, v1

r=bkor by inspection
Attachment #242926 - Flags: review?(mkanat) → review+

Updated

12 years ago
Flags: approval?
(Assignee)

Updated

12 years ago
Flags: approval2.22?
Flags: approval?
Flags: approval2.22?
Flags: approval2.22+
Flags: approval+
(Assignee)

Comment 7

12 years ago
tip:

Checking in showdependencygraph.cgi;
/cvsroot/mozilla/webtools/bugzilla/showdependencygraph.cgi,v  <--  showdependencygraph.cgi
new revision: 1.55; previous revision: 1.54
done


2.22.1:

Checking in showdependencygraph.cgi;
/cvsroot/mozilla/webtools/bugzilla/showdependencygraph.cgi,v  <--  showdependencygraph.cgi
new revision: 1.48.2.2; previous revision: 1.48.2.1
done
Status: ASSIGNED → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.