diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2012-02-08 16:51:48 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-02-08 16:51:48 +0100 |
commit | 686f3c40af0d189f86af06cc2db3b5c4080164d6 (patch) | |
tree | 95f59596093014dfa5d1477e7b75f8bb5b030918 /template/en/default | |
parent | 8190b97973f647c8f7b16d9f5e2f0b2092cab49c (diff) | |
download | bugzilla-686f3c40af0d189f86af06cc2db3b5c4080164d6.tar.gz bugzilla-686f3c40af0d189f86af06cc2db3b5c4080164d6.tar.xz |
Bug 722161: Clickjacking is possible in "View All" with HTML attachments
r=dkl a=LpSolit
Diffstat (limited to 'template/en/default')
-rw-r--r-- | template/en/default/attachment/show-multiple.html.tmpl | 20 |
1 files changed, 16 insertions, 4 deletions
diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl index e238e5f49..91768c0d3 100644 --- a/template/en/default/attachment/show-multiple.html.tmpl +++ b/template/en/default/attachment/show-multiple.html.tmpl @@ -88,10 +88,22 @@ </table> [% IF a.is_viewable %] - <iframe src="attachment.cgi?id=[% a.id %]" width="75%" height="350"> - <b>You cannot view the attachment on this page because your browser does not support IFRAMEs. - <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b> - </iframe> + [% IF a.contenttype == "text/html" %] + [%# For security reasons (clickjacking, embedded scripts), we never + # render HTML pages from here. The source code is displayed instead. %] + [% INCLUDE global/textarea.html.tmpl + minrows = 10 + cols = 80 + defaultcontent = a.data + readonly = 'readonly' + classes = 'viewall_frame' + %] + [% ELSE %] + <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame"> + <b>You cannot view the attachment on this page because your browser does not support IFRAMEs. + <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b> + </iframe> + [% END %] [% ELSE %] <p><b> Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*. |