summaryrefslogtreecommitdiffstats
path: root/template/en/default
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2009-02-02 19:21:33 +0100
committerlpsolit%gmail.com <>2009-02-02 19:21:33 +0100
commit8d70890dc0b7c24b25a344808ac4e63e6a5dd74e (patch)
treecc80d283ac39c08f00620b66a6fc991c5c3ad857 /template/en/default
parentb23648ca247167be26f1b51bd592b29309ebbc63 (diff)
downloadbugzilla-8d70890dc0b7c24b25a344808ac4e63e6a5dd74e.tar.gz
bugzilla-8d70890dc0b7c24b25a344808ac4e63e6a5dd74e.tar.xz
Bug 38862: [SECURITY] attachments should be at a different hostname - Patch by Byron Jones <bugzilla@glob.com.au> and Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
Diffstat (limited to 'template/en/default')
-rw-r--r--template/en/default/admin/params/attachment.html.tmpl18
-rw-r--r--template/en/default/attachment/edit.html.tmpl35
2 files changed, 23 insertions, 30 deletions
diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl
index ef3363bbb..7c0b52472 100644
--- a/template/en/default/admin/params/attachment.html.tmpl
+++ b/template/en/default/admin/params/attachment.html.tmpl
@@ -24,6 +24,24 @@
%]
[% param_descs = {
+ attachment_base => "It is possible for a malicious attachment to steal your " _
+ "cookies or access other attachments to perform an attack " _
+ "on the user.<p>" _
+ "If you would like additional security on attachments " _
+ "to avoid this, set this parameter to an alternate URL " _
+ "for your $terms.Bugzilla that is not the same as " _
+ "<tt>urlbase</tt> or <tt>sslbase</tt>. That is, a different " _
+ "domain name that resolves to this exact same $terms.Bugzilla " _
+ "installation.<p>" _
+ "For added security, you can insert <tt>%bugid%</tt> into " _
+ "the URL, which will be replaced with the ID of the current " _
+ "$terms.bug that the attachment is on, when you access " _
+ "an attachment. This will limit attachments to accessing " _
+ "only other attachments on the same ${terms.bug}. " _
+ "Remember, though, that all those possible domain names " _
+ "(such as <tt>1234.your.domain.com</tt>) must point to " _
+ "this same $terms.Bugzilla instance."
+
allow_attachment_deletion => "If this option is on, administrators will be able to delete " _
"the content of attachments.",
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index 2550d4f46..48137e76a 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -39,6 +39,9 @@
doc_section = "attachments.html"
%]
+[%# No need to display the Diff button and iframe if the attachment is not a patch. %]
+[% patchviewerinstalled = (patchviewerinstalled && attachment.ispatch) %]
+
<script type="text/javascript">
<!--
var prev_mode = 'raw';
@@ -47,37 +50,7 @@
var has_viewed_as_diff = 0;
function editAsComment()
{
- // Get the content of the document as a string.
- var viewFrame = document.getElementById('viewFrame');
- var aSerializer = new XMLSerializer();
- var contentDocument = viewFrame.contentDocument;
- var theContent = aSerializer.serializeToString(contentDocument);
-
- // If this is a plaintext document, remove cruft that Mozilla adds
- // because it treats it as an HTML document with a big PRE section.
- // http://bugzilla.mozilla.org/show_bug.cgi?id=86012
- var contentType = '[% attachment.contenttype FILTER js %]';
- if ( contentType == 'text/plain' )
- {
- theContent = theContent.replace( /^<html><head\/?><body><pre>/i , "" );
- theContent = theContent.replace( /<\/pre><\/body><\/html>$/i , "" );
- theContent = theContent.replace( /&lt;/gi , "<" );
- theContent = theContent.replace( /&gt;/gi , ">" );
- theContent = theContent.replace( /&amp;/gi , "&" );
- }
-
- // Add mail-style quote indicators (>) to the beginning of each line.
- // ".*\n" matches lines that end with a newline, while ".+" matches
- // the rare situation in which the last line of a file does not end
- // with a newline.
- theContent = theContent.replace( /(.*\n|.+)/g , ">$1" );
-
switchToMode('edit');
-
- // Copy the contents of the diff into the textarea
- var editFrame = document.getElementById('editFrame');
- editFrame.value = theContent + "\n\n";
-
has_edited = 1;
}
function undoEditAsComment()
@@ -306,6 +279,8 @@
minrows = 10
cols = 80
wrap = 'soft'
+ defaultcontent = (attachment.contenttype.match('^text\/')) ?
+ attachment.data.replace('(.*\n|.+)', '>$1') : undef
%]
<iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]" style="height: 400px; width: 100%;">
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.