Bug 1252445 - Tracking flags configuration is vulnerable to CSRF and causes persistent XSS

6 files changed, 24 insertions, 9 deletions

diff --git a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
index f70e77bb1..84efbd077 100644
--- a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
+++ b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
@@ -77,7 +77,8 @@
   [%# add tracking flags json if available %]
   [% IF tracking_flags %]
     [% javascript_urls.push("extensions/TrackingFlags/web/js/tracking_flags.js") %]
-    TrackingFlags = [% tracking_flags_json FILTER none %];
+    var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
+    var TrackingFlags = $.parseJSON(tracking_flags_str);
   [% END %]
 
   [%# update last-visited %]
diff --git a/extensions/TrackingFlags/lib/Admin.pm b/extensions/TrackingFlags/lib/Admin.pm
index 1bae18ef8..542e990d5 100644
--- a/extensions/TrackingFlags/lib/Admin.pm
+++ b/extensions/TrackingFlags/lib/Admin.pm
@@ -1,4 +1,4 @@
-# This Source Code Form is subject to the terms of the Mozilla Public
+#d This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 #
@@ -15,6 +15,7 @@ use Bugzilla::Component;
 use Bugzilla::Error;
 use Bugzilla::Group;
 use Bugzilla::Product;
+use Bugzilla::Token qw(check_hash_token delete_token);
 use Bugzilla::Util qw(trim detaint_natural);
 
 use Bugzilla::Extension::TrackingFlags::Constants;
@@ -52,6 +53,10 @@ sub admin_edit {
     $vars->{tracking_flag_types} = FLAG_TYPES;
 
     if ($input->{delete}) {
+        my $token = $input->{token};
+        check_hash_token($token, ['tracking_flags_edit']);
+        delete_token($token);
+
         my $flag = Bugzilla::Extension::TrackingFlags::Flag->new($vars->{flag_id})
             || ThrowCodeError('tracking_flags_invalid_item_id', { item => 'flag', id => $vars->{flag_id} });
         $flag->remove_from_db();
@@ -67,7 +72,9 @@ sub admin_edit {
         exit;
 
     } elsif ($input->{save}) {
-        # save
+        my $token = $input->{token};
+        check_hash_token($token, ['tracking_flags_edit']);
+        delete_token($token);
 
         my ($flag, $values, $visibilities) = _load_from_input($input, $vars);
         _validate($flag, $values, $visibilities);
diff --git a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
index 4e2c97dfa..efce91cfe 100644
--- a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
@@ -58,5 +58,6 @@
 [% END %]
 
 <script type="text/javascript">
-  TrackingFlags = [% tracking_flags_json FILTER none %];
+  var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
+  TrackingFlags = $.parseJSON(tracking_flags_str);
 </script>
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
index 53f80a885..a29357b11 100644
--- a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
@@ -30,7 +30,8 @@
 
 <script type="text/javascript">
   $(function() {
-    var tracking_flag_components = [% tracking_flag_components FILTER none %];
+    var tracking_flag_components_str = "[% tracking_flag_components FILTER js %]";
+    var tracking_flag_components = $.parseJSON(tracking_flag_components_str);
     var highest_status_firefox = '[% highest_status_firefox FILTER js %]';
 
     $('#component')
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
index b66bd3df4..aab7056e6 100644
--- a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
@@ -41,6 +41,7 @@
 [% END %]
 
 <script type="text/javascript">
-  TrackingFlags = [% tracking_flags_json FILTER none %];
+  var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
+  var TrackingFlags = $.parseJSON(tracking_flags_str);
   hide_tracking_flags();
 </script>
diff --git a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
index 60406490f..e381c4f1c 100644
--- a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
@@ -30,9 +30,12 @@ var selected_components = [
 %]
 
 <script>
-  var groups = [% groups || '[]' FILTER none %];
-  var flag_values = [% values || '[]' FILTER none %];
-  var flag_visibility = [% visibility || '[]' FILTER none %];
+  var groups_str = "[% groups || '[]' FILTER js %]";
+  var groups = $.parseJSON(groups_str);
+  var flag_values_str = "[% values || '[]' FILTER js %]";
+  var flag_values = $.parseJSON(flag_values_str);
+  var flag_visibility_str = "[% visibility || '[]' FILTER js %]";
+  var flag_visibility = $.parseJSON(flag_visibility_str);
 </script>
 
 <div id="edit_mode">
@@ -50,6 +53,7 @@ var selected_components = [
 <input type="hidden" name="values" id="values" value="">
 <input type="hidden" name="visibility" id="visibility" value="">
 <input type="hidden" name="save" value="1">
+<input type="hidden" name="token" value="[% issue_hash_token(['tracking_flags_edit']) FILTER html %]">
 
 [%# name/desc/etc %]