ignore supplied filenames in MIME to avoid taint issues

[debbugs.git] / Debbugs / CGI / Bugreport.pm

diff --git a/Debbugs/CGI/Bugreport.pm b/Debbugs/CGI/Bugreport.pm
index 1c0a40dd035c9f55a2351772bd93d0a4b863ad66..95201d23a20b2c122c5b46218179f0c4c4bd42ca 100644 (file)
--- a/Debbugs/CGI/Bugreport.pm
+++ b/Debbugs/CGI/Bugreport.pm
@@ -27,6 +27,7 @@ None known.
 
 use warnings;
 use strict;
+use utf8;
 use vars qw($VERSION $DEBUG %EXPORT_TAGS @EXPORT_OK @EXPORT);
 use Exporter qw(import);
 
@@ -44,7 +45,7 @@ use POSIX qw(strftime);
 use Encode qw(decode_utf8 encode_utf8);
 use URI::Escape qw(uri_escape_utf8);
 use Scalar::Util qw(blessed);
-use List::Util qw(sum0);
+use List::AllUtils qw(sum);
 use File::Temp;
 
 BEGIN{
@@ -278,7 +279,7 @@ sub display_entity {
             # if the first 20 lines in the message which have any non-space
             # characters are larger than 100 characters more often than they
             # are not, then use CSS to try to impose sensible wrapping
-            sum0(map {length ($_) > 100?1:-1} grep {/\S/} split /\n/,$body,20) > 0
+            sum(0,map {length ($_) > 100?1:-1} grep {/\S/} split /\n/,$body,20) > 0
            ) {
             $css_class .= " wrapping";
         }
@@ -303,7 +304,7 @@ sub display_entity {
            ) {
             # Add links to CVE vulnerabilities (closes #568464)
             $body =~ s{(^|\s|[\(\[])(CVE-\d{4}-\d{4,})(\s|[,.-\[\]\)]|$)}
-                      {$1<a href="http://$config{cve_tracker}$2">$2</a>$3}gxm;
+                      {$1<a href="$config{cve_tracker}$2">$2</a>$3}gxm;
         }
         if (not exists $param{att}) {
              print {$output} qq(<pre class="$css_class">$body</pre>\n);
@@ -415,17 +416,18 @@ sub handle_record{
          if (defined $time) {
               $output .= ' ('.strftime('%a, %d %b %Y %T GMT',gmtime($time)).') ';
          }
-         $output .= '</p><p><a href="' .
+         $output .= qq{(<a href="} .
               html_escape(bug_links(bug => $bug_number,
                                     options => {msg => ($msg_number+1)},
                                     links_only => 1,
                                    )
-                         ) . '">Full text</a> and <a href="' .
+                         ) . '">full text</a>, <a href="' .
                               html_escape(bug_links(bug => $bug_number,
                                                     options => {msg => ($msg_number+1),
                                                                 mbox => 'yes'},
                                                     links_only => 1)
-                                         ) . '">rfc822 format</a> available.';
+                                         ) . '">mbox</a>, '.
+                                             qq{<a href="#$msg_number">link</a>).</p>};
 
          $output = qq(<div class="$class"><hr><p>\n<a name="$msg_number"></a>\n) . $output . "</p></div>\n";
      }
@@ -438,7 +440,7 @@ sub handle_record{
               $$seen_msg_ids{$msg_id} = 1;
          }
          return () if defined $param{spam} and $param{spam}->is_spam($msg_id);
-         $output .= qq(<hr><p class="msgreceived"><a name="$msg_number"></a>\n);
+         $output .= qq(<hr><p class="msgreceived"><a name="$msg_number" href="#$msg_number">🔗</a>\n);
          $output .= 'View this message in <a href="' . html_escape(bug_links(bug=>$bug_number, links_only => 1, options=>{msg=>$msg_number, mbox=>'yes'})) . '">rfc822 format</a></p>';
          $output .= handle_email_message($record,
                                          ref     => $bug_number,
@@ -474,6 +476,7 @@ sub handle_record{
           # this will be cleaned up once it goes out of scope
           my $tempdir = File::Temp->newdir();
           $parser->output_under($tempdir->dirname());
+         $parser->filer->ignore_filename(1);
          my $entity;
          if ($record->{inner_file}) {
              $entity = $parser->parse($record->{fh});