summaryrefslogtreecommitdiffstats
path: root/template/en
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2011-01-24 19:29:39 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2011-01-24 19:29:39 +0100
commit9244270a7d1ca49e315a98c24d51bf405bfa2880 (patch)
tree46587cdf26360fd54abb79986d11c8b9234e4fe0 /template/en
parent38eeecf6362b6dc17718c84a35dbbaea7cc15ccd (diff)
downloadbugzilla-9244270a7d1ca49e315a98c24d51bf405bfa2880.tar.gz
bugzilla-9244270a7d1ca49e315a98c24d51bf405bfa2880.tar.xz
Bug 619588: (CVE-2010-4567) [SECURITY] Safety checks that disallow clicking for javascript: or data: URLs in the URL field can be evaded with prefixed whitespace
and Bug 628034: (CVE-2011-0048) [SECURITY] For not-logged-in users, the URL field doesn't safeguard against javascript: or data: URLs r=dkl a=LpSolit
Diffstat (limited to 'template/en')
-rw-r--r--template/en/default/attachment/edit.html.tmpl5
-rw-r--r--template/en/default/bug/edit.html.tmpl10
-rw-r--r--template/en/default/bug/show-multiple.html.tmpl6
3 files changed, 8 insertions, 13 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index 56d2b8a80..eeebcffae 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -185,10 +185,7 @@
defaultcontent = (attachment.contenttype.match('^text\/')) ?
attachment.data.replace('(.*\n|.+)', '>$1') : undef
%]
- [%# The regexp is stolen from quoteUrls(), see Template.pm %]
- [% safe_protocols = constants.SAFE_PROTOCOLS.join('|') %]
- [% IF attachment.contenttype == 'text/plain'
- && attachment.data.match("^($safe_protocols):" _ '[^\s<>\"]+[\w\/]$') %]
+ [% IF attachment.contenttype == 'text/plain' AND is_safe_url(attachment.data) %]
<p>
<a href="[% attachment.data FILTER html %]">
[% IF attachment.datasize < 120 %]
diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl
index 1ae71b299..0aa5f80af 100644
--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -555,12 +555,10 @@
[%# Block for URL Keyword and Whiteboard #%]
[%############################################################################%]
[% BLOCK section_url_keyword_whiteboard %]
-[%# *** URL Whiteboard Keywords *** %]
<tr>
<td class="field_label">
<label for="bug_file_loc" accesskey="u"><b>
- [% IF bug.bug_file_loc
- AND NOT bug.bug_file_loc.match("^(javascript|data)") %]
+ [% IF is_safe_url(bug.bug_file_loc) %]
<a href="[% bug.bug_file_loc FILTER html %]"><u>U</u>RL</a>
[% ELSE %]
<u>U</u>RL
@@ -570,8 +568,7 @@
<td>
[% IF bug.check_can_change_field("bug_file_loc", 0, 1) %]
<span id="bz_url_edit_container" class="bz_default_hidden">
- [% IF bug.bug_file_loc
- AND NOT bug.bug_file_loc.match("^(javascript|data)") %]
+ [% IF is_safe_url(bug.bug_file_loc) %]
<a href="[% bug.bug_file_loc FILTER html %]" target="_blank"
title="[% bug.bug_file_loc FILTER html %]">
[% bug.bug_file_loc FILTER truncate(40) FILTER html %]</a>
@@ -582,7 +579,8 @@
[% END %]
<span id="bz_url_input_area">
[% url_output = PROCESS input no_td=1 inputname => "bug_file_loc" size => "40" colspan => 2 %]
- [% IF NOT bug.check_can_change_field("bug_file_loc", 0, 1) %]
+ [% IF NOT bug.check_can_change_field("bug_file_loc", 0, 1)
+ AND is_safe_url(bug.bug_file_loc) %]
<a href="[% bug.bug_file_loc FILTER html %]">[% url_output FILTER none %]</a>
[% ELSE %]
[% url_output FILTER none %]
diff --git a/template/en/default/bug/show-multiple.html.tmpl b/template/en/default/bug/show-multiple.html.tmpl
index 56f732667..33dde14a3 100644
--- a/template/en/default/bug/show-multiple.html.tmpl
+++ b/template/en/default/bug/show-multiple.html.tmpl
@@ -163,11 +163,11 @@
<tr>
<th>[% field_descs.bug_file_loc FILTER html %]:</th>
<td colspan="3">
- [% IF bug.bug_file_loc.match("^(javascript|data)") %]
- [% bug.bug_file_loc FILTER html %]
- [% ELSE %]
+ [% IF is_safe_url(bug.bug_file_loc) %]
<a href="[% bug.bug_file_loc FILTER html %]">
[% bug.bug_file_loc FILTER html %]</a>
+ [% ELSE %]
+ [% bug.bug_file_loc FILTER html %]
[% END %]
</td>
</tr>