showvotes.cgi needs to escape (untrusted) url params

RESOLVED FIXED in Bugzilla 2.14

Status

()

Bugzilla
Bugzilla-General
P3
normal
RESOLVED FIXED
18 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: myk)

Tracking

unspecified
Bugzilla 2.14
Other
Other

Details

(Whiteboard: security, URL)

Attachments

(2 attachments)

Comment hidden (empty)
(Reporter)

Updated

18 years ago
Blocks: 38852
Whiteboard: 2.14
moving to real milestones...
Whiteboard: 2.14
Target Milestone: --- → Bugzilla 2.14
(Assignee)

Comment 2

17 years ago
-> myself & I have a patch
Assignee: tara → myk
Keywords: patch
(Assignee)

Updated

17 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 3

17 years ago
Created attachment 33256 [details] [diff] [review]
validates user, bug_id, and voteon parameters

Comment 4

17 years ago
What about a subroutine ErrorExit(Title, ErrMsg) for these lines:
+    print "Content-type: text/html\n\n";
+    PutHeader($Title);
+    print "<p>$ErrMsg<p>\n";
+    PutFooter();
+    exit;

This could be useful elsewhere, too...

Comment 5

17 years ago
I'm not sure that it needs to validate the bug number/UID against the
database... I think it'd probably be enough that it made sure it was a number.
But I suppose taking the validation the next step does allow for better error
messages, and it does only validate the one that "matters".

So, all in all, I'd say r=jake

Comment 6

17 years ago
*** Bug 39537 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 7

17 years ago
Created attachment 33749 [details] [diff] [review]
uses DisplayError function to simplify display of errors
(Assignee)

Comment 8

17 years ago
Jake, could you re-review my new patch?

Comment 9

17 years ago
Using the Param("errorhtml")... nice touch :)

r=jake
Checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
(Reporter)

Updated

14 years ago
Whiteboard: security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.