Found in chart.cgi: print "Location: query.cgi?format=" . $cgi->param('query_format') . ($params ? "&$params" : "") . "\n\n"; print "Location: buglist.cgi" . ($params ? "?$params" : "") . "\n\n"; We should use $cgi->redirect instead.
This is another bug similar to bug 591165. Due to the use of Location:, header-injection is easily possible.
Created attachment 499986 [details] [diff] [review] patch - v1 This should work, but should I be using |-uri => correct_urlbase() . "blah.cgi"| instead, or is this fine? We seem to vary on usage one way or another throughout the codebase.
call this one CVE-2010-4572
(In reply to comment #2) > This should work, but should I be using |-uri => correct_urlbase() . > "blah.cgi"| instead, or is this fine? We seem to vary on usage one way or > another throughout the codebase. http://search.cpan.org/~lds/CGI.pm-3.50/lib/CGI.pm#GENERATING_A_REDIRECTION_HEADER recommends to use full URL, not relative ones: "You should always use full URLs (including the http: or ftp: part) in redirection requests. Relative URLs will not work correctly."
For now you should be using $cgi->url to generate a full URL, unless $cgi->redirect does that internally.
Comment on attachment 499986 [details] [diff] [review] patch - v1 Okay, this is actually what buglist.cgi does already, so this is fine.
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified chart.cgi Committed revision 7673. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/ modified chart.cgi Committed revision 7530. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/ modified chart.cgi Committed revision 7223. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.4/ modified chart.cgi Committed revision 6790. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.2/ modified chart.cgi Committed revision 6411.
Security advisory sent. Removing the security flag.