From: cjwatson <>
Date: Thu, 7 Nov 2002 02:18:59 +0000 (-0800)
Subject: [project @ 2002-11-06 18:18:59 by cjwatson]
X-Git-Tag: release/2.6.0~1006
X-Git-Url: https://git.donarmstrong.com/?a=commitdiff_plain;h=953b68d53cd942c22d36f0c5ce5a2a9a34be6db9;p=debbugs.git

[project @ 2002-11-06 18:18:59 by cjwatson]
Prevent people from reading the first line of arbitrary files through
bugreport.cgi.
---

diff --git a/cgi/bugreport.cgi b/cgi/bugreport.cgi
index a5b57d0b..7719933a 100755
--- a/cgi/bugreport.cgi
+++ b/cgi/bugreport.cgi
@@ -24,6 +24,8 @@ my %maintainer = %{getmaintainers()};
 my %pkgsrc = %{getpkgsrc()};
 
 my $ref = $param{'bug'} || quit("No bug number");
+$ref =~ /(\d+)/ or quit("Invalid bug number");
+$ref = $1;
 my $msg = $param{'msg'} || "";
 my $att = $param{'att'};
 my $boring = ($param{'boring'} || 'no') eq 'yes'; 
diff --git a/debian/changelog b/debian/changelog
index 029368fa..edbce786 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -77,6 +77,8 @@ debbugs (2.4) experimental; urgency=low
     package name, closes: #93433. [Colin]
   * Remove support for -fixed address from receive, since nothing else
     supports it. [Colin]
+  * Prevent people from reading the first line of arbitrary files through
+    bugreport.cgi, thanks to Max <rusmir@tula.net>. [Colin]
   * Fix a few typos, closes: #146745, #152751.
   * Various other things, not worth mentioning here.