diff options
| author |   Frédéric Buclin <LpSolit@gmail.com> | 2012-11-13 18:55:31 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-11-13 18:55:31 +0100 |
| commit | 5d80ee9fbb955a77899325b56f1a574e2ff8c410 (patch) | |
| tree | 198c8d153df0f290f9dc9d9991286c882cb4510c /report.cgi | |
| parent | Bug 808845 (CVE-2012-5475): [SECURITY] Security vulnerability in YUI's swfsto... (diff) | |
| download | bugzilla-5d80ee9fbb955a77899325b56f1a574e2ff8c410.tar.gz bugzilla-5d80ee9fbb955a77899325b56f1a574e2ff8c410.tar.bz2 bugzilla-5d80ee9fbb955a77899325b56f1a574e2ff8c410.zip | |
Bug 790296 (CVE-2012-4189): [SECURITY] Field values are not escaped correctly in tabular reports
r=dkl a=LpSolit
Diffstat (limited to 'report.cgi')
| -rwxr-xr-x | report.cgi | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/report.cgi b/report.cgi index 9c228be52..4e06c1169 100755 --- a/report.cgi +++ b/report.cgi @@ -386,5 +386,5 @@ sub get_field_restrictions { my $field = shift; my $cgi = Bugzilla->cgi; - return join('&', map {"$field=$_"} $cgi->param($field)); + return join('&', map {url_quote($field) . '=' . url_quote($_)} $cgi->param($field)); } |