summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2006-02-21 09:05:56 +0100
committerlpsolit%gmail.com <>2006-02-21 09:05:56 +0100
commitc738859a411c63f64fa931a5275111aeb9d90fd8 (patch)
tree6423d386e03be187a65fc71483d28571ba84b2ff
parent39e8d6dc7a8371433d8260b86ebc12396da1de7a (diff)
downloadbugzilla-c738859a411c63f64fa931a5275111aeb9d90fd8.tar.gz
bugzilla-c738859a411c63f64fa931a5275111aeb9d90fd8.tar.xz
[SECURITY] Bug 313441: Query RSS should HTML-escape summary in <title> - Patch by Phil Ringnalda <philringnalda@gmail.com> r=myk a=justdave
I forgot to specify the bug number in my previous checkin. That was bug 312498.
-rw-r--r--Bugzilla/Constants.pm2
-rwxr-xr-xbuglist.cgi17
-rw-r--r--template/en/default/global/header.html.tmpl10
-rw-r--r--template/en/default/list/list.atom.tmpl (renamed from template/en/default/list/list.rss.tmpl)69
-rw-r--r--template/en/default/list/list.html.tmpl14
5 files changed, 54 insertions, 58 deletions
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index 09717486e..c00518732 100644
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -148,7 +148,7 @@ use constant contenttypes =>
{
"html"=> "text/html" ,
"rdf" => "application/rdf+xml" ,
- "rss" => "application/rss+xml" ,
+ "atom"=> "application/atom+xml" ,
"xml" => "application/xml" ,
"js" => "application/x-javascript" ,
"csv" => "text/plain" ,
diff --git a/buglist.cgi b/buglist.cgi
index 2ff808451..ba105eab8 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -103,6 +103,11 @@ if (defined $cgi->param('format') && $cgi->param('format') eq "rdf"
$cgi->delete('format');
}
+# Treat requests for ctype=rss as requests for ctype=atom
+if (defined $cgi->param('ctype') && $cgi->param('ctype') eq "rss") {
+ $cgi->param('ctype', "atom");
+}
+
# The js ctype presents a security risk; a malicious site could use it
# to gather information about secure bugs. So, we only allow public bugs to be
# retrieved with this format.
@@ -683,12 +688,12 @@ if ($format->{'extension'} eq 'ics') {
push(@selectcolumns, "opendate") if !grep($_ eq 'opendate', @selectcolumns);
}
-if ($format->{'extension'} eq 'rss') {
- # The title of the RSS feed will be the same one as for the bug list.
+if ($format->{'extension'} eq 'atom') {
+ # The title of the Atom feed will be the same one as for the bug list.
$vars->{'title'} = $cgi->param('title');
- # This is the list of fields that are needed by the rss filter.
- my @required_rss_columns = (
+ # This is the list of fields that are needed by the Atom filter.
+ my @required_atom_columns = (
'short_desc',
'opendate',
'changeddate',
@@ -699,7 +704,7 @@ if ($format->{'extension'} eq 'rss') {
'bug_status'
);
- foreach my $required (@required_rss_columns) {
+ foreach my $required (@required_atom_columns) {
push(@selectcolumns, $required) if !grep($_ eq $required,@selectcolumns);
}
}
@@ -934,7 +939,7 @@ while (my @row = $buglist_sth->fetchrow_array()) {
s/^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})$/$1-$2-$3 $4:$5:$6/;
# Put in the change date as a time, so that the template date plugin
- # can format the date in any way needed by the template. ICS and RSS
+ # can format the date in any way needed by the template. ICS and Atom
# have specific, and different, date and time formatting.
$bug->{'changedtime'} = str2time($bug->{'changeddate'});
$bug->{'changeddate'} = DiffDate($bug->{'changeddate'});
diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index 90c3659fe..959bf5a99 100644
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -35,7 +35,7 @@
# style: string. CSS style.
# style_urls: list. List of URLs to CSS style sheets.
# message: string. A message to display to the user. May contain HTML.
- # rsslink: rss link url, May contain HTML
+ # atomlink: Atom link url, May contain HTML
#%]
[% IF message %]
@@ -100,11 +100,11 @@
[% END %]
[% END %]
- [%# this puts the live bookmark up on firefox for the RSS feed %]
- [% IF rsslink %]
+ [%# this puts the live bookmark up on firefox for the Atom feed %]
+ [% IF atomlink %]
<link rel="alternate"
- type="application/rss+xml" title="RSS 1.0"
- href="[% rsslink FILTER html %]" />
+ type="application/atom+xml" title="Atom feed"
+ href="[% atomlink FILTER html %]" />
[% END %]
</head>
diff --git a/template/en/default/list/list.rss.tmpl b/template/en/default/list/list.atom.tmpl
index cf6901bd7..367f2858f 100644
--- a/template/en/default/list/list.rss.tmpl
+++ b/template/en/default/list/list.atom.tmpl
@@ -19,8 +19,9 @@
# Contributor(s): Walter Hoehn <wassa@columbia.edu>
# John Belmonte <john@neggie.net>
# Jason Remillard <jremillardshop@letterboxes.org>
+ # Phil Ringnalda <bugzilla@philringnalda.com>
#
- # This is a template for generating an RSS 1.0 representation of a buglist.
+ # This is a template for generating an Atom representation of a buglist.
#%]
[% PROCESS global/variables.none.tmpl %]
@@ -29,42 +30,32 @@
[% DEFAULT title = "$terms.Bugzilla $terms.Bugs" %]
<?xml version="1.0"[% IF Param('utf8') %] encoding="UTF-8"[% END %]?>
-<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
- xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
- xmlns:dc="http://purl.org/dc/elements/1.1/"
- xmlns="http://purl.org/rss/1.0/">
- <channel rdf:about="[% Param('urlbase') %]buglist.cgi?
- [%- urlquerypart.replace('ctype=rss[&]?','') FILTER xml %]" >
-
- <title>[% title FILTER xml %]</title>
- <description>[% "$terms.Bugzilla $terms.bug list" FILTER xml %]</description>
-
- <link>[% Param('urlbase') %]buglist.cgi?
- [%- urlquerypart.replace('ctype=rss[&]?','') FILTER xml -%]
- </link>
-
- <sy:updatePeriod>hourly</sy:updatePeriod>
- <sy:updateFrequency>2</sy:updateFrequency>
-
- <items>
- <rdf:Seq>
- [% FOREACH bug = bugs %]
- <rdf:li rdf:resource="[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]" />
- [% END %]
- </rdf:Seq>
- </items>
-
- </channel>
-
+<feed xmlns="http://www.w3.org/2005/Atom">
+ <title>[% title FILTER xml %]</title>
+ <link rel="alternate" type="text/html"
+ href="[% Param('urlbase') %]buglist.cgi?
+ [%- urlquerypart.replace('ctype=atom[&]?','') FILTER xml %]"/>
+ <link rel="self" type="application/atom+xml"
+ href="[% Param('urlbase') %]buglist.cgi?
+ [%- urlquerypart FILTER xml %]"/>
+ <updated>[% date.format(format=>"%Y-%m-%dT%H:%M:%SZ",
+ time=>bugs.nsort('changedtime').last.changedtime,
+ gmt=>1) FILTER xml %]</updated>
+ <id>[% Param('urlbase') %]buglist.cgi?[% urlquerypart FILTER xml %]</id>
+
[% FOREACH bug = bugs %]
- <item rdf:about="[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]">
- <title>
- [% "@" IF bug.secure_mode %] [[% terms.Bug %] [%+ bug.bug_id FILTER xml %]] [% bug.short_desc FILTER xml %]
- </title>
- <link>[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]</link>
- <dc:creator>[% bug.reporter_realname FILTER xml %]</dc:creator>
- <dc:date>[% date.format(format=>"%Y-%m-%dT%H:%MZ",time=>bug.opentime,gmt=>1) FILTER xml %]</dc:date>
- <description>
+ <entry>
+ <title>[% "@" IF bug.secure_mode %][[% terms.Bug %] [%+ bug.bug_id FILTER xml %]] [% bug.short_desc FILTER xml %]</title>
+ <link rel="alternate" type="text/html"
+ href="[% Param('urlbase') FILTER xml %]show_bug.cgi?id=
+ [%- bug.bug_id FILTER xml %]"/>
+ <id>[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]</id>
+ <author>
+ <name>[% bug.reporter_realname FILTER xml %]</name>
+ </author>
+ <updated>[% date.format(format=>"%Y-%m-%dT%H:%M:%SZ",time=>bug.changedtime,
+ gmt=>1) FILTER xml %]</updated>
+ <summary type="html">
[%# Filter out the entire block, so that we don't need to escape the html code out %]
[% FILTER xml %]
<table>
@@ -91,7 +82,7 @@
</tr>
</table>
[% END %]
- </description>
- </item>
+ </summary>
+ </entry>
[% END %]
-</rdf:RDF>
+</feed>
diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl
index 85b7d7316..5ac715a0c 100644
--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -48,15 +48,15 @@
[% PROCESS global/header.html.tmpl
title = title
style = style
- rsslink = "buglist.cgi?$urlquerypart&title=$title&ctype=rss"
+ atomlink = "buglist.cgi?$urlquerypart&title=$title&ctype=atom"
%]
<div align="center">
- [% IF Param('timezone') %]
- <b>[% time2str("%a %b %e %Y %T %Z", currenttime, Param('timezone')) %]</b><br>
- [% ELSE %]
- <b>[% time2str("%a %b %e %Y %T", currenttime) %]</b><br>
- [% END %]
+ [% IF Param('timezone') %]
+ <b>[% time2str("%a %b %e %Y %T %Z", currenttime, Param('timezone')) %]</b><br>
+ [% ELSE %]
+ <b>[% time2str("%a %b %e %Y %T", currenttime) %]</b><br>
+ [% END %]
[% IF debug %]
<p>
@@ -169,7 +169,7 @@
[% urlquerypart FILTER html %]&amp;ctype=csv">CSV</a> |
<a href="buglist.cgi?
[% urlquerypart FILTER html %]&amp;title=
- [%- title FILTER html %]&amp;ctype=rss">RSS</a> |
+ [%- title FILTER html %]&amp;ctype=atom">Feed</a> |
<a href="buglist.cgi?
[% urlquerypart FILTER html %]&amp;ctype=ics">iCalendar</a> |
<a href="colchange.cgi?