summaryrefslogtreecommitdiffstats
path: root/template/en/default/list
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2012-04-18 18:58:04 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2012-04-18 18:58:04 +0200
commit811987d677a4117f09b032e3935aff9accdc133d (patch)
treed26d58e0f7bd7b41ad86b3cf7c2e8c75a1972c90 /template/en/default/list
parent8dd0e8193d51f243b547cc0f4f21f5b3a1375ff2 (diff)
downloadbugzilla-811987d677a4117f09b032e3935aff9accdc133d.tar.gz
bugzilla-811987d677a4117f09b032e3935aff9accdc133d.tar.xz
Bug 745397: (CVE-2012-0466) [SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see
r=glob a=LpSolit
Diffstat (limited to 'template/en/default/list')
-rw-r--r--template/en/default/list/list.js.tmpl25
1 files changed, 0 insertions, 25 deletions
diff --git a/template/en/default/list/list.js.tmpl b/template/en/default/list/list.js.tmpl
deleted file mode 100644
index 8795b1cf5..000000000
--- a/template/en/default/list/list.js.tmpl
+++ /dev/null
@@ -1,25 +0,0 @@
-[%# This Source Code Form is subject to the terms of the Mozilla Public
- # License, v. 2.0. If a copy of the MPL was not distributed with this
- # file, You can obtain one at http://mozilla.org/MPL/2.0/.
- #
- # This Source Code Form is "Incompatible With Secondary Licenses", as
- # defined by the Mozilla Public License, v. 2.0.
- #%]
-
-// Note: only publicly-accessible bugs (those not in any group) will be
-// listed when using this JavaScript format. This is to prevent malicious
-// sites stealing information about secure bugs.
-
-bugs = new Array;
-
-[% FOREACH bug = bugs %]
- bugs[[% bug.bug_id %]] = [
- [% FOREACH column = displaycolumns %]
- "[%- bug.$column FILTER js -%]"[% "," UNLESS loop.last %]
- [% END %]
- ];
-[% END %]
-
-if (window.buglistCallback) {
- buglistCallback(bugs);
-}