summaryrefslogtreecommitdiffstats
path: root/extensions
diff options
context:
space:
mode:
authorDavid Lawrence <dkl@mozilla.com>2016-03-08 15:26:33 +0100
committerDavid Lawrence <dkl@mozilla.com>2016-03-08 15:26:44 +0100
commit02aa6ce0a7cd9ef14079a5ee22c175ff9d16ed58 (patch)
treed262348a346399b483951c41ec77e6e7017ca682 /extensions
parent0a9f0581b3c8199476a3b8237c192947014f921a (diff)
downloadbugzilla-02aa6ce0a7cd9ef14079a5ee22c175ff9d16ed58.tar.gz
bugzilla-02aa6ce0a7cd9ef14079a5ee22c175ff9d16ed58.tar.xz
Bug 1252445 - Tracking flags configuration is vulnerable to CSRF and causes persistent XSS
Diffstat (limited to 'extensions')
-rw-r--r--extensions/BugModal/template/en/default/bug_modal/header.html.tmpl3
-rw-r--r--extensions/TrackingFlags/lib/Admin.pm11
-rw-r--r--extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl3
-rw-r--r--extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl3
-rw-r--r--extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl3
-rw-r--r--extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl10
6 files changed, 24 insertions, 9 deletions
diff --git a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
index f70e77bb1..84efbd077 100644
--- a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
+++ b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
@@ -77,7 +77,8 @@
[%# add tracking flags json if available %]
[% IF tracking_flags %]
[% javascript_urls.push("extensions/TrackingFlags/web/js/tracking_flags.js") %]
- TrackingFlags = [% tracking_flags_json FILTER none %];
+ var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
+ var TrackingFlags = $.parseJSON(tracking_flags_str);
[% END %]
[%# update last-visited %]
diff --git a/extensions/TrackingFlags/lib/Admin.pm b/extensions/TrackingFlags/lib/Admin.pm
index 1bae18ef8..542e990d5 100644
--- a/extensions/TrackingFlags/lib/Admin.pm
+++ b/extensions/TrackingFlags/lib/Admin.pm
@@ -1,4 +1,4 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
+#d This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
@@ -15,6 +15,7 @@ use Bugzilla::Component;
use Bugzilla::Error;
use Bugzilla::Group;
use Bugzilla::Product;
+use Bugzilla::Token qw(check_hash_token delete_token);
use Bugzilla::Util qw(trim detaint_natural);
use Bugzilla::Extension::TrackingFlags::Constants;
@@ -52,6 +53,10 @@ sub admin_edit {
$vars->{tracking_flag_types} = FLAG_TYPES;
if ($input->{delete}) {
+ my $token = $input->{token};
+ check_hash_token($token, ['tracking_flags_edit']);
+ delete_token($token);
+
my $flag = Bugzilla::Extension::TrackingFlags::Flag->new($vars->{flag_id})
|| ThrowCodeError('tracking_flags_invalid_item_id', { item => 'flag', id => $vars->{flag_id} });
$flag->remove_from_db();
@@ -67,7 +72,9 @@ sub admin_edit {
exit;
} elsif ($input->{save}) {
- # save
+ my $token = $input->{token};
+ check_hash_token($token, ['tracking_flags_edit']);
+ delete_token($token);
my ($flag, $values, $visibilities) = _load_from_input($input, $vars);
_validate($flag, $values, $visibilities);
diff --git a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
index 4e2c97dfa..efce91cfe 100644
--- a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
@@ -58,5 +58,6 @@
[% END %]
<script type="text/javascript">
- TrackingFlags = [% tracking_flags_json FILTER none %];
+ var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
+ TrackingFlags = $.parseJSON(tracking_flags_str);
</script>
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
index 53f80a885..a29357b11 100644
--- a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
@@ -30,7 +30,8 @@
<script type="text/javascript">
$(function() {
- var tracking_flag_components = [% tracking_flag_components FILTER none %];
+ var tracking_flag_components_str = "[% tracking_flag_components FILTER js %]";
+ var tracking_flag_components = $.parseJSON(tracking_flag_components_str);
var highest_status_firefox = '[% highest_status_firefox FILTER js %]';
$('#component')
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
index b66bd3df4..aab7056e6 100644
--- a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
@@ -41,6 +41,7 @@
[% END %]
<script type="text/javascript">
- TrackingFlags = [% tracking_flags_json FILTER none %];
+ var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
+ var TrackingFlags = $.parseJSON(tracking_flags_str);
hide_tracking_flags();
</script>
diff --git a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
index 60406490f..e381c4f1c 100644
--- a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
@@ -30,9 +30,12 @@ var selected_components = [
%]
<script>
- var groups = [% groups || '[]' FILTER none %];
- var flag_values = [% values || '[]' FILTER none %];
- var flag_visibility = [% visibility || '[]' FILTER none %];
+ var groups_str = "[% groups || '[]' FILTER js %]";
+ var groups = $.parseJSON(groups_str);
+ var flag_values_str = "[% values || '[]' FILTER js %]";
+ var flag_values = $.parseJSON(flag_values_str);
+ var flag_visibility_str = "[% visibility || '[]' FILTER js %]";
+ var flag_visibility = $.parseJSON(flag_visibility_str);
</script>
<div id="edit_mode">
@@ -50,6 +53,7 @@ var selected_components = [
<input type="hidden" name="values" id="values" value="">
<input type="hidden" name="visibility" id="visibility" value="">
<input type="hidden" name="save" value="1">
+<input type="hidden" name="token" value="[% issue_hash_token(['tracking_flags_edit']) FILTER html %]">
[%# name/desc/etc %]