Closed Bug 664100 Opened 11 years ago Closed 11 years ago

sanitize function not complete

Categories

(Tree Management Graveyard :: TBPL, defect)

defect
Not set
critical

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: rforbes, Unassigned)

References

()

Details

(Whiteboard: [infrasec:input][ws:high])

issue
------
data is being inserted into bugzilla without any validation.  




Code Examples
--------------

file submitBugzillaComment.php
60 function sanitize($str) {
61   // Remove UTF-8 non-breaking space character sequences (0xc2a0), and
62   // replace them with normal spaces.
63  return str_replace(chr(0xc2) . chr(0xa0), ' ', $str);
64  }


suggested remediation
---------------------
all data should be validated before being submitted to bugzilla
What other validation do you want to see here, specifically?

We should be able to deal with all kinds of strings here. The Bugzilla API we're using is public, so any validation will have to happen on Bugzilla's side anyway, so I'm not sure that we need to do anything.
sorry, I am still somewhat new to bugzilla.  This is an accepted usecase so I will close this bug.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
OK.
Raymond, can you make this bug public, please? I don't have the rights to do that. (Just uncheck the checkbox labeled "Security-Sensitive Webtools Bug" next to the attachments table.)
Group: webtools-security
Blocks: 682914
Product: Webtools → Tree Management
Product: Tree Management → Tree Management Graveyard
You need to log in before you can comment on or make changes to this bug.