[project @ 2002-11-06 18:18:59 by cjwatson]

Prevent people from reading the first line of arbitrary files through
bugreport.cgi.

diff --git a/cgi/bugreport.cgi b/cgi/bugreport.cgi
index a5b57d0bedc7822513f3ffabcce38836a137c4ab..7719933ae95f96f84fa8949d6c100574b014b990 100755 (executable)
--- a/cgi/bugreport.cgi
+++ b/cgi/bugreport.cgi
@@ -24,6 +24,8 @@ my %maintainer = %{getmaintainers()};
 my %pkgsrc = %{getpkgsrc()};
 
 my $ref = $param{'bug'} || quit("No bug number");
+$ref =~ /(\d+)/ or quit("Invalid bug number");
+$ref = $1;
 my $msg = $param{'msg'} || "";
 my $att = $param{'att'};
 my $boring = ($param{'boring'} || 'no') eq 'yes'; 

diff --git a/debian/changelog b/debian/changelog
index 029368fa88b7d097b071532cf300a10dcf613454..edbce786f2164dcc8ebc9503f53fe70babefe752 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -77,6 +77,8 @@ debbugs (2.4) experimental; urgency=low
     package name, closes: #93433. [Colin]
   * Remove support for -fixed address from receive, since nothing else
     supports it. [Colin]
+  * Prevent people from reading the first line of arbitrary files through
+    bugreport.cgi, thanks to Max <rusmir@tula.net>. [Colin]
   * Fix a few typos, closes: #146745, #152751.
   * Various other things, not worth mentioning here.