diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2012-11-13 18:09:30 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-11-13 18:09:30 +0100 |
commit | fbb0dd18cbf1ddf2e63c2db7c0bce98001a704ea (patch) | |
tree | 673fea4586a065de78f6ddf8b11551c70eab9081 /template/en/default/bug/field-events.js.tmpl | |
parent | 798135a6e855d992b734d002805ac4dd909be2cc (diff) | |
download | bugzilla-fbb0dd18cbf1ddf2e63c2db7c0bce98001a704ea.tar.gz bugzilla-fbb0dd18cbf1ddf2e63c2db7c0bce98001a704ea.tar.xz |
Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see
r=dkl a=LpSolit
Diffstat (limited to 'template/en/default/bug/field-events.js.tmpl')
-rw-r--r-- | template/en/default/bug/field-events.js.tmpl | 18 |
1 files changed, 15 insertions, 3 deletions
diff --git a/template/en/default/bug/field-events.js.tmpl b/template/en/default/bug/field-events.js.tmpl index 13ec18d38..f1d5afd32 100644 --- a/template/en/default/bug/field-events.js.tmpl +++ b/template/en/default/bug/field-events.js.tmpl @@ -24,11 +24,23 @@ #%] [% FOREACH controlled_field = field.controls_visibility_of %] + [% vis_names = [] %] + [% FOREACH visibility_value = controlled_field.visibility_values %] + [%# Exclude non-enterable products and components outside the current product. %] + [% NEXT IF field.name == "product" + && visibility_value.id != product.id + && !user.can_enter_product(visibility_value) %] + [% NEXT IF field.name == "component" && visibility_value.product_id != product.id %] + [% vis_names.push(visibility_value.name) %] + [% END %] + + [% NEXT UNLESS vis_names.size %] + showFieldWhen('[% controlled_field.name FILTER js %]', '[% field.name FILTER js %]', [ - [%- FOREACH visibility_value = controlled_field.visibility_values -%] - '[%- visibility_value.name FILTER js -%]'[% "," UNLESS loop.last %] - [%- END %] + [%~ FOREACH vis_name = vis_names ~%] + '[% vis_name FILTER js %]'[% "," UNLESS loop.last %] + [%~ END ~%] ]); [% END %] |