Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 745397: (CVE-2012-0466) [SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see

Browse Source 
r=glob a=LpSolit


git-svn-id: svn://10.0.0.236/trunk@263712 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
mkanat%bugzilla.org 2012-04-18 17:08:02 +00:00
parent 8ec173480f
commit dae90e7dc8
4 changed files with 1 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mozilla/webtools/bugzilla/.bzrrev
View File

@ -1 +1 @@
8206 8207

10
mozilla/webtools/bugzilla/buglist.cgi
View File

@ -95,16 +95,6 @@ if (defined $cgi->param('ctype') && $cgi->param('ctype') eq "rss") {
$cgi->param('ctype', "atom"); $cgi->param('ctype', "atom");
} }
# The js ctype presents a security risk; a malicious site could use it
# to gather information about secure bugs. So, we only allow public bugs to be
# retrieved with this format.
#
# Note that if and when this call clears cookies or has other persistent
# effects, we'll need to do this another way instead.
if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) {
Bugzilla->logout_request();
}
# An agent is a program that automatically downloads and extracts data # An agent is a program that automatically downloads and extracts data
# on its user's behalf. If this request comes from an agent, we turn off # on its user's behalf. If this request comes from an agent, we turn off
# various aspects of bug list functionality so agent requests succeed # various aspects of bug list functionality so agent requests succeed

10
mozilla/webtools/bugzilla/docs/en/xml/using.xml
View File

@ -671,16 +671,6 @@
</member> </member>
</simplelist> </simplelist>
</para> </para>
<para>
If you would like to access the bug list from another program
it is often useful to have the list returned in something other
than HTML. By adding the ctype=type parameter into the bug list URL
you can specify several alternate formats. Besides the types described
above, the following formats are also supported: ECMAScript, also known
as JavaScript (ctype=js), and Resource Description Framework RDF/XML
(ctype=rdf).
</para>
</section> </section>
<section id="individual-buglists"> <section id="individual-buglists">

25
mozilla/webtools/bugzilla/template/en/default/list/list.js.tmpl
View File

@ -1,25 +0,0 @@
[%# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.
#%]
// Note: only publicly-accessible bugs (those not in any group) will be
// listed when using this JavaScript format. This is to prevent malicious
// sites stealing information about secure bugs.
bugs = new Array;
[% FOREACH bug = bugs %]
bugs[[% bug.bug_id %]] = [
[% FOREACH column = displaycolumns %]
"[%- bug.$column FILTER js -%]"[% "," UNLESS loop.last %]
[% END %]
];
[% END %]
if (window.buglistCallback) {
buglistCallback(bugs);
}