diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2012-07-26 23:01:12 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-07-26 23:01:12 +0200 |
commit | 4eb4a65a1a945e558086603e75b367bc7bd1d971 (patch) | |
tree | 4dec8749aac061a667ccf0a504995eab6ae4618e /template/en/default/email | |
parent | 6bdf0f7971bd726b803858dce8326b9af9c62b48 (diff) | |
download | bugzilla-4eb4a65a1a945e558086603e75b367bc7bd1d971.tar.gz bugzilla-4eb4a65a1a945e558086603e75b367bc7bd1d971.tar.xz |
Bug 777398: (CVE-2012-1968) [SECURITY] HTML bugmail exposes information about restricted bugs
r=glob a=LpSolit
Diffstat (limited to 'template/en/default/email')
-rw-r--r-- | template/en/default/email/bugmail.html.tmpl | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/template/en/default/email/bugmail.html.tmpl b/template/en/default/email/bugmail.html.tmpl index cfb5a64e4..5d31d27a0 100644 --- a/template/en/default/email/bugmail.html.tmpl +++ b/template/en/default/email/bugmail.html.tmpl @@ -20,12 +20,12 @@ [% FOREACH comment = new_comments.reverse %] <div> [% IF comment.count %] - <b>[% "Comment # ${comment.count}" FILTER bug_link( bug, - {comment_num => comment.count, full_url => 1}) FILTER none %] - on [% "$terms.bug $bug.id" FILTER bug_link( bug, { full_url => 1 }) FILTER none %] + <b>[% "Comment # ${comment.count}" FILTER bug_link(bug, + {comment_num => comment.count, full_url => 1, user => to_user}) FILTER none %] + on [% "$terms.bug $bug.id" FILTER bug_link(bug, { full_url => 1, user => to_user }) FILTER none %] from [% INCLUDE global/user.html.tmpl who = comment.author %]</b> [% END %] - <pre>[% comment.body_full({ wrap => 1 }) FILTER quoteUrls(bug, comment) %]</pre> + <pre>[% comment.body_full({ wrap => 1 }) FILTER quoteUrls(bug, comment, to_user) %]</pre> </div> [% END %] </p> @@ -58,13 +58,14 @@ [% SET in_table = 0 %] [% END %] [% IF change.blocker %] - [% "${terms.Bug} ${bug.id}" FILTER bug_link(bug, full_url => 1) FILTER none %] depends - on [% "${terms.bug} ${change.blocker.id}" - FILTER bug_link(change.blocker, full_url => 1) FILTER none %], + [% "${terms.Bug} ${bug.id}" FILTER bug_link(bug, {full_url => 1, user => to_user}) FILTER none %] + depends on + [%+ "${terms.bug} ${change.blocker.id}" + FILTER bug_link(change.blocker, {full_url => 1, user => to_user}) FILTER none %], which changed state. [% ELSE %] - [% INCLUDE global/user.html.tmpl who = change.who %] - changed [% "${terms.Bug} ${bug.id}" FILTER bug_link(bug, full_url => 1) FILTER none %] + [% INCLUDE global/user.html.tmpl who = change.who %] changed + [%+ "${terms.bug} ${bug.id}" FILTER bug_link(bug, {full_url => 1, user => to_user}) FILTER none %] [% END %] <br> [% IF in_table == 0 %] @@ -88,7 +89,7 @@ <th>[% field_label FILTER html %]</th> <td> [% IF change.field_name == "bug_id" %] - [% new_value FILTER bug_link(bug, full_url => 1) FILTER none %] + [% new_value FILTER bug_link(bug, {full_url => 1, user => to_user}) FILTER none %] [% ELSE %] [% new_value FILTER html %] [% END %] |