Bug 1064140: [SECURITY] Private comments can be shown to flagmail recipients who aren't in the insider group

r=glob,a=glob
author: Simon Green <sgreen@redhat.com> 2014-10-06 16:49:38 +0200
committer: David Lawrence <dkl@mozilla.com> 2014-10-06 16:49:38 +0200
commit: fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d (patch)
tree: 01b1eeaeeecd240a743cb280e2dbf101ad2aac37 /template/en/default/email
parent: f33b119d68d21074d08a6bd72f960319276e182b (diff)
download: bugzilla-fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d.tar.gz
bugzilla-fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d.tar.xz
1 files changed, 8 insertions, 5 deletions
diff --git a/template/en/default/email/flagmail.txt.tmpl b/template/en/default/email/flagmail.txt.tmpl
index d0e1395e2..cf64d9661 100644
--- a/template/en/default/email/flagmail.txt.tmpl
+++ b/template/en/default/email/flagmail.txt.tmpl
@@ -68,11 +68,14 @@ Attachment [% attidsummary %]
 
 [%- FILTER bullet = wrap(80) %]
 
-[% USE Bugzilla %]
-[%-# .defined is necessary to avoid a taint issue, see bug 509794. %]
-[% IF Bugzilla.cgi.param("comment").defined && Bugzilla.cgi.param("comment").length > 0 %]
-------- Additional Comments from [% user.identity %]
-[%+ Bugzilla.cgi.param("comment") FILTER strip_control_chars %]
+[% FOREACH comment = new_comments %]
+
+[%- IF comment.count %]
+--- Comment #[% comment.count %] from [% comment.author.identity %] ---
+[% ELSE %]
+--- Description ---
+[% END %]
+[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) FILTER strip_control_chars %]
 [% END %]
 
 [%- END %]
author	Simon Green <sgreen@redhat.com>	2014-10-06 16:49:38 +0200
committer	David Lawrence <dkl@mozilla.com>	2014-10-06 16:49:38 +0200
commit	fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d (patch)
tree	01b1eeaeeecd240a743cb280e2dbf101ad2aac37 /template/en/default/email
parent	f33b119d68d21074d08a6bd72f960319276e182b (diff)
download	bugzilla-fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d.tar.gz bugzilla-fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d.tar.xz