diff options
| author | gerv%gerv.net <> | 2003-11-09 03:04:36 +0100 |
|---|---|---|
| committer | gerv%gerv.net <> | 2003-11-09 03:04:36 +0100 |
| commit | fc7ebc28b0859d7ddecd704001ff1adc54856d47 (patch) | |
| tree | 6db8a4f000896dfb5cc1313dac91ff20052b3cab /buglist.cgi | |
| parent | ee4db0ae49ef6ac641fb8713784e86165586b0c4 (diff) | |
| download | bugzilla-fc7ebc28b0859d7ddecd704001ff1adc54856d47.tar.gz bugzilla-fc7ebc28b0859d7ddecd704001ff1adc54856d47.tar.xz | |
Bug 195530 - Make javascript version of buglists available, part 2. This is a security fix to prevent remote sites being able to see sensitive bug data. Patch by gerv; r=justdave, r=myk, a=justdave.
Diffstat (limited to 'buglist.cgi')
| -rwxr-xr-x | buglist.cgi | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/buglist.cgi b/buglist.cgi index fa664c251..1c5161481 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -88,6 +88,16 @@ if ($::FORM{'format'} && $::FORM{'format'} eq "rdf" && !$::FORM{'ctype'}) { delete($::FORM{'format'}); } +# The js ctype presents a security risk; a malicious site could use it +# to gather information about secure bugs. So, we only allow public bugs to be +# retrieved with this format. +# +# Note that if and when this call clears cookies or has other persistent +# effects, we'll need to do this another way instead. +if ($::FORM{'ctype'} eq "js") { + Bugzilla->logout(); +} + # Determine the format in which the user would like to receive the output. # Uses the default format if the user did not specify an output format; # otherwise validates the user's choice against the list of available formats. |