Closed
Bug 38855
Opened 25 years ago
Closed 24 years ago
showvotes.cgi needs to escape (untrusted) url params
Categories
(Bugzilla :: Bugzilla-General, defect, P3)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.14
People
(Reporter: jruderman, Assigned: myk)
References
()
Details
(Whiteboard: security)
Attachments
(2 files)
|
(deleted),
patch
|
Details | Diff | Splinter Review | |
|
(deleted),
patch
|
Details | Diff | Splinter Review |
No description provided.
|
||
Updated•24 years ago
|
Whiteboard: 2.14
|
||
Comment 1•24 years ago
|
||
moving to real milestones...
Whiteboard: 2.14
Target Milestone: --- → Bugzilla 2.14
|
Assignee | |
Updated•24 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•24 years ago
|
||
|
||
Comment 4•24 years ago
|
||
What about a subroutine ErrorExit(Title, ErrMsg) for these lines:
+ print "Content-type: text/html\n\n";
+ PutHeader($Title);
+ print "<p>$ErrMsg<p>\n";
+ PutFooter();
+ exit;
This could be useful elsewhere, too...
|
||
Comment 5•24 years ago
|
||
I'm not sure that it needs to validate the bug number/UID against the
database... I think it'd probably be enough that it made sure it was a number.
But I suppose taking the validation the next step does allow for better error
messages, and it does only validate the one that "matters".
So, all in all, I'd say r=jake
|
|
Assignee | |
Comment 7•24 years ago
|
||
|
|
Assignee | |
Comment 8•24 years ago
|
||
Jake, could you re-review my new patch?
|
|
||
Comment 9•24 years ago
|
||
Using the Param("errorhtml")... nice touch :)
r=jake
|
|
||
Comment 10•24 years ago
|
||
Checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
|
||
Comment 11•23 years ago
|
||
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
|
Reporter | |
Updated•21 years ago
|
Whiteboard: security
|
||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•