ignore supplied filenames in MIME to avoid taint issues

[debbugs.git] / Debbugs / CGI / Bugreport.pm

diff --git a/Debbugs/CGI/Bugreport.pm b/Debbugs/CGI/Bugreport.pm
index 0fd134a2ed20e311ff6ef8c3fa7f049d1f397aa4..95201d23a20b2c122c5b46218179f0c4c4bd42ca 100644 (file)
--- a/Debbugs/CGI/Bugreport.pm
+++ b/Debbugs/CGI/Bugreport.pm
@@ -304,7 +304,7 @@ sub display_entity {
            ) {
             # Add links to CVE vulnerabilities (closes #568464)
             $body =~ s{(^|\s|[\(\[])(CVE-\d{4}-\d{4,})(\s|[,.-\[\]\)]|$)}
-                      {$1<a href="http://$config{cve_tracker}$2">$2</a>$3}gxm;
+                      {$1<a href="$config{cve_tracker}$2">$2</a>$3}gxm;
         }
         if (not exists $param{att}) {
              print {$output} qq(<pre class="$css_class">$body</pre>\n);
@@ -476,6 +476,7 @@ sub handle_record{
           # this will be cleaned up once it goes out of scope
           my $tempdir = File::Temp->newdir();
           $parser->output_under($tempdir->dirname());
+         $parser->filer->ignore_filename(1);
          my $entity;
          if ($record->{inner_file}) {
              $entity = $parser->parse($record->{fh});