From e71013e25c1ca334b986e28f1caebb6b0cb69cb7 Mon Sep 17 00:00:00 2001
From: Paul Wise <pabs@debian.org>
Date: Fri, 2 Dec 2022 09:16:49 +0800
Subject: [PATCH] Prevent usertags created at submit time from including
 invalid trailing chars

There were two regex validating included characters but the one used at submit
time only checked for valid characters at the start of the usertag string.

Also factor the usertag validity regex into a function to reduce duplication.

Fixes: commit d8c69d152175704304656c19e1da1043fd24491e
---
 lib/Debbugs/Control.pm | 14 ++++++++++++++
 scripts/process        |  4 ++--
 scripts/service        |  4 ++--
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/lib/Debbugs/Control.pm b/lib/Debbugs/Control.pm
index 1f8b3aa..38b83ab 100644
--- a/lib/Debbugs/Control.pm
+++ b/lib/Debbugs/Control.pm
@@ -3295,6 +3295,20 @@ sub bug_unarchive {
      __end_control(%info);
 }
 
+= head2 valid_usertag
+
+     valid_usertag
+
+This checks if the usertag contains valid characters or not.
+
+=cut
+
+sub valid_usertag {
+    my $usertag = shift;
+    return $usertag =~ m/^[a-zA-Z0-9.+\@-]+$/;
+}
+
+
 =head2 append_action_to_log
 
      append_action_to_log
diff --git a/scripts/process b/scripts/process
index 66fa434..4e4d97a 100755
--- a/scripts/process
+++ b/scripts/process
@@ -30,7 +30,7 @@ use Debbugs::Text qw(:templates);
 
 use Debbugs::Config qw(:globals :config);
 
-use Debbugs::Control qw(append_action_to_log);
+use Debbugs::Control qw(append_action_to_log valid_usertag);
 use Debbugs::Control::Service qw(valid_control control_line);
 use Debbugs::Recipients qw(determine_recipients);
 use Encode qw(encode_utf8 decode);
@@ -723,7 +723,7 @@ if ($ref<0) { # new bug report
             read_usertags(\%user_tags, $current_user);
             $value =~ s/(?:^\s+|\s+$)//g;
             for my $tag (split /[,\s]+/, $value) {
-                if ($tag =~ /^[a-zA-Z0-9.+\@-]+/) {
+                if (valid_usertag($tag)) {
                     my %bugs_with_tag;
                     @bugs_with_tag{@{$user_tags{$tag}||[]}} = (1) x @{$user_tags{$tag}||[]};
                     $bugs_with_tag{$ref} = 1;
diff --git a/scripts/service b/scripts/service
index cdb70bb..df3bc2c 100755
--- a/scripts/service
+++ b/scripts/service
@@ -32,7 +32,7 @@ use Debbugs::Versions::Dpkg;
 use Debbugs::Status qw(splitpackages);
 
 use Debbugs::CGI qw(html_escape);
-use Debbugs::Control qw(:all);
+use Debbugs::Control qw(:all valid_usertag);
 use Debbugs::Control::Service qw(:all);
 use Debbugs::Log qw(:misc);
 use Debbugs::Text qw(:templates);
@@ -425,7 +425,7 @@ END
 	    my %chtags;
 	    if (defined $tags and length $tags) {
 		 for my $t (split /[,\s]+/, $tags) {
-		      if ($t =~ m/^[a-zA-Z0-9.+\@-]+$/) {
+		      if (valid_usertag($t)) {
 			   $chtags{$t} = 1;
 		      } else {
 			   push @badtags, $t;
-- 
2.39.2