From 953b68d53cd942c22d36f0c5ce5a2a9a34be6db9 Mon Sep 17 00:00:00 2001
From: cjwatson <>
Date: Wed, 6 Nov 2002 18:18:59 -0800
Subject: [PATCH] [project @ 2002-11-06 18:18:59 by cjwatson] Prevent people
 from reading the first line of arbitrary files through bugreport.cgi.

---
 cgi/bugreport.cgi | 2 ++
 debian/changelog  | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/cgi/bugreport.cgi b/cgi/bugreport.cgi
index a5b57d0..7719933 100755
--- a/cgi/bugreport.cgi
+++ b/cgi/bugreport.cgi
@@ -24,6 +24,8 @@ my %maintainer = %{getmaintainers()};
 my %pkgsrc = %{getpkgsrc()};
 
 my $ref = $param{'bug'} || quit("No bug number");
+$ref =~ /(\d+)/ or quit("Invalid bug number");
+$ref = $1;
 my $msg = $param{'msg'} || "";
 my $att = $param{'att'};
 my $boring = ($param{'boring'} || 'no') eq 'yes'; 
diff --git a/debian/changelog b/debian/changelog
index 029368f..edbce78 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -77,6 +77,8 @@ debbugs (2.4) experimental; urgency=low
     package name, closes: #93433. [Colin]
   * Remove support for -fixed address from receive, since nothing else
     supports it. [Colin]
+  * Prevent people from reading the first line of arbitrary files through
+    bugreport.cgi, thanks to Max <rusmir@tula.net>. [Colin]
   * Fix a few typos, closes: #146745, #152751.
   * Various other things, not worth mentioning here.
 
-- 
2.39.2