diff options
| -rw-r--r-- | Bugzilla/CGI.pm | 11 | ||||
| -rwxr-xr-x | attachment.cgi | 6 | ||||
| -rwxr-xr-x | post_bug.cgi | 2 | ||||
| -rwxr-xr-x | process_bug.cgi | 3 | ||||
| -rwxr-xr-x | show_bug.cgi | 12 |
5 files changed, 24 insertions, 10 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 91dec7e72..556d91441 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -52,9 +52,11 @@ use constant DEFAULT_CSP => ( # normally the policy would just live in one .cgi file. # Additionally, correct_urlbase() cannot be called at compile time, so this can't be a constant. sub SHOW_BUG_MODAL_CSP { - return ( + my ($bug_id) = @_; + my %policy = ( script_src => ['self', 'nonce', 'unsafe-inline', 'unsafe-eval' ], object_src => [correct_urlbase() . "extensions/BugModal/web/ZeroClipboard/ZeroClipboard.swf"], + img_src => [ 'self', 'https://secure.gravatar.com' ], connect_src => [ 'self', # This is from extensions/OrangeFactor/web/js/orange_factor.js @@ -66,6 +68,13 @@ sub SHOW_BUG_MODAL_CSP { 'https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm' ], ); + if (use_attachbase() && $bug_id) { + my $attach_base = Bugzilla->params->{'attachment_base'}; + $attach_base =~ s/\%bugid\%/$bug_id/g; + push @{ $policy{img_src} }, $attach_base; + } + + return %policy; } sub _init_bz_cgi_globals { diff --git a/attachment.cgi b/attachment.cgi index d228c9c7f..53c817d08 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -633,7 +633,7 @@ sub insert { Bugzilla::Hook::process('show_bug_format', $show_bug_format); if ($show_bug_format->{format} eq 'modal') { - $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP()); + $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bugid)); } print $cgi->header(); @@ -797,7 +797,7 @@ sub update { Bugzilla::Hook::process('show_bug_format', $show_bug_format); if ($show_bug_format->{format} eq 'modal') { - $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP()); + $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug->id)); } print $cgi->header(); @@ -872,7 +872,7 @@ sub delete_attachment { Bugzilla::Hook::process('show_bug_format', $show_bug_format); if ($show_bug_format->{format} eq 'modal') { - $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP()); + $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug->id)); } print $cgi->header(); diff --git a/post_bug.cgi b/post_bug.cgi index bbba125c1..238ff6e1a 100755 --- a/post_bug.cgi +++ b/post_bug.cgi @@ -265,7 +265,7 @@ $format = $template->get_format("bug/create/created", $cgi->delete('format'); if ($user->setting('ui_experiments') eq 'on') { - Bugzilla->cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP()); + Bugzilla->cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug->id)); } print $cgi->header(); $template->process($format->{'template'}, $vars) diff --git a/process_bug.cgi b/process_bug.cgi index ac8e32c53..49ac28fc0 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -420,7 +420,8 @@ my $format_params = { }; Bugzilla::Hook::process('show_bug_format', $format_params); if ($format_params->{format} eq 'modal') { - $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP()); + my $bug_id = $vars->{bug} ? $vars->{bug}->id : undef; + $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug_id)); } my $format = $template->get_format("bug/show", $format_params->{format}, diff --git a/show_bug.cgi b/show_bug.cgi index d4e6ea771..d2695a66f 100755 --- a/show_bug.cgi +++ b/show_bug.cgi @@ -20,6 +20,7 @@ use Bugzilla::Keyword; use Bugzilla::Bug; use Bugzilla::Hook; use Bugzilla::CGI; +use Bugzilla::Util qw(detaint_natural); my $cgi = Bugzilla->cgi; my $template = Bugzilla->template; @@ -37,10 +38,6 @@ my $format = $template->get_format("bug/show", $format_params->{format}, $format_params->{ctype}); -if ($format_params->{format} eq 'modal') { - $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP()); -} - # Editable, 'single' HTML bugs are treated slightly specially in a few places my $single = (!$format->{format} || $format->{format} ne 'multiple') && $format->{extension} eq 'html'; @@ -53,6 +50,13 @@ if (!$cgi->param('id') && $single) { exit; } +if ($format_params->{format} eq 'modal') { + my $bug_id = $cgi->param('id'); + detaint_natural($bug_id); + $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug_id)); +} + + my @bugs; my %marks; |