diff options
-rw-r--r-- | Bugzilla/CGI.pm | 25 | ||||
-rwxr-xr-x | buglist.cgi | 30 | ||||
-rwxr-xr-x | report.cgi | 7 | ||||
-rwxr-xr-x | request.cgi | 19 | ||||
-rw-r--r-- | template/en/default/request/queue.html.tmpl | 2 |
5 files changed, 52 insertions, 31 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index ce7cdf429..58a681491 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -347,6 +347,10 @@ sub header { unshift(@_, '-x_frame_options' => 'SAMEORIGIN'); } + if ($self->{'_content_disp'}) { + unshift(@_, '-content_disposition' => $self->{'_content_disp'}); + } + # Add X-XSS-Protection header to prevent simple XSS attacks # and enforce the blocking (rather than the rewriting) mode. unshift(@_, '-x_xss_protection' => '1; mode=block'); @@ -560,6 +564,22 @@ sub url_is_attachment_base { return ($self->self_url =~ $regex) ? 1 : 0; } +sub set_dated_content_disp { + my ($self, $type, $prefix, $ext) = @_; + + my @time = localtime(time()); + my $date = sprintf "%04d-%02d-%02d", 1900+$time[5], $time[4]+1, $time[3]; + my $filename = "$prefix-$date.$ext"; + + $filename =~ s/\s/_/g; # Remove whitespace to avoid HTTP header tampering + $filename =~ s/\\/_/g; # Remove backslashes as well + $filename =~ s/"/\\"/g; # escape quotes + + my $disposition = "$type; filename=\"$filename\""; + + $self->{'_content_disp'} = $disposition; +} + ########################## # Vars TIEHASH Interface # ########################## @@ -667,6 +687,11 @@ instead of calling this directly. Redirects from the current URL to one prefixed by the urlbase parameter. +=item C<set_dated_content_disp> + +Sets an appropriate date-dependent value for the Content Disposition header +for a downloadable resource. + =back =head1 SEE ALSO diff --git a/buglist.cgi b/buglist.cgi index 27badae7c..9d259de5c 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -316,22 +316,20 @@ sub GetGroups { } sub _close_standby_message { - my ($contenttype, $disposition, $serverpush) = @_; + my ($contenttype, $disp, $disp_prefix, $extension, $serverpush) = @_; my $cgi = Bugzilla->cgi; + $cgi->set_dated_content_disp($disp, $disp_prefix, $extension); # Close the "please wait" page, then open the buglist page if ($serverpush) { print $cgi->multipart_end(); - print $cgi->multipart_start(-type => $contenttype, - -content_disposition => $disposition); + print $cgi->multipart_start(-type => $contenttype); } else { - print $cgi->header(-type => $contenttype, - -content_disposition => $disposition); + print $cgi->header($contenttype); } } - ################################################################################ # Command Execution ################################################################################ @@ -359,17 +357,10 @@ $params ||= new Bugzilla::CGI($cgi); # if available. We have to do this now, even though we return HTTP headers # at the end, because the fact that there is a remembered query gets # forgotten in the process of retrieving it. -my @time = localtime(time()); -my $date = sprintf "%04d-%02d-%02d", 1900+$time[5],$time[4]+1,$time[3]; -my $filename = "bugs-$date.$format->{extension}"; +my $disp_prefix = "bugs"; if ($cmdtype eq "dorem" && $remaction =~ /^run/) { - $filename = $cgi->param('namedcmd') . "-$date.$format->{extension}"; - # Remove white-space from the filename so the user cannot tamper - # with the HTTP headers. - $filename =~ s/\s/_/g; + $disp_prefix = $cgi->param('namedcmd'); } -$filename =~ s/\\/\\\\/g; # escape backslashes -$filename =~ s/"/\\"/g; # escape quotes # Take appropriate action based on user's request. if ($cmdtype eq "dorem") { @@ -1030,7 +1021,8 @@ if ($one_product && Bugzilla->user->can_enter_product($one_product)) { # The following variables are used when the user is making changes to multiple bugs. if ($dotweak && scalar @bugs) { if (!$vars->{'caneditbugs'}) { - _close_standby_message('text/html', 'inline', $serverpush); + _close_standby_message('text/html', + 'inline', "error", "html", $serverpush); ThrowUserError('auth_failure', {group => 'editbugs', action => 'modify', object => 'multiple_bugs'}); @@ -1137,10 +1129,8 @@ if ($format->{'extension'} eq "csv") { $vars->{'human'} = $cgi->param('human'); } -# Suggest a name for the bug list if the user wants to save it as a file. -$disposition .= "; filename=\"$filename\""; - -_close_standby_message($contenttype, $disposition, $serverpush); +_close_standby_message($contenttype, $disposition, $disp_prefix, + $format->{'extension'}, $serverpush); ################################################################################ # Content Generation diff --git a/report.cgi b/report.cgi index 4e8689527..7a6093c8c 100755 --- a/report.cgi +++ b/report.cgi @@ -280,11 +280,8 @@ my $format = $template->get_format("reports/report", $formatparam, # set debug=1 to always get an HTML content-type, and view the error. $format->{'ctype'} = "text/html" if $cgi->param('debug'); -my @time = localtime(time()); -my $date = sprintf "%04d-%02d-%02d", 1900+$time[5],$time[4]+1,$time[3]; -my $filename = "report-$date.$format->{extension}"; -print $cgi->header(-type => $format->{'ctype'}, - -content_disposition => "inline; filename=$filename"); +$cgi->set_dated_content_disp("inline", "report", $format->{extension}); +print $cgi->header($format->{'ctype'}); # Problems with this CGI are often due to malformed data. Setting debug=1 # prints out both data structures. diff --git a/request.cgi b/request.cgi index 5ac95f240..1bab9ff45 100755 --- a/request.cgi +++ b/request.cgi @@ -46,8 +46,12 @@ my $cgi = Bugzilla->cgi; Bugzilla->switch_to_shadow_db; my $template = Bugzilla->template; my $action = $cgi->param('action') || ''; +my $format = $template->get_format('request/queue', + scalar($cgi->param('format')), + scalar($cgi->param('ctype'))); -print $cgi->header(); +$cgi->set_dated_content_disp("inline", "requests", $format->{extension}); +print $cgi->header($format->{'ctype'}); ################################################################################ # Main Body Execution @@ -66,7 +70,7 @@ unless (defined $cgi->param('requestee') Bugzilla::User::match_field($fields); if ($action eq 'queue') { - queue(); + queue($format); } else { my $flagtypes = get_flag_types(); @@ -84,8 +88,8 @@ else { } $vars->{'components'} = [ sort { $a cmp $b } keys %components ]; - $template->process('request/queue.html.tmpl', $vars) - || ThrowTemplateError($template->error()); + $template->process($format->{'template'}, $vars) + || ThrowTemplateError($template->error()); } exit; @@ -94,6 +98,7 @@ exit; ################################################################################ sub queue { + my $format = shift; my $cgi = Bugzilla->cgi; my $dbh = Bugzilla->dbh; my $template = Bugzilla->template; @@ -327,9 +332,11 @@ sub queue { } $vars->{'components'} = [ sort { $a cmp $b } keys %components ]; + $vars->{'urlquerypart'} = $cgi->canonicalise_query('ctype'); + # Generate and return the UI (HTML page) from the appropriate template. - $template->process("request/queue.html.tmpl", $vars) - || ThrowTemplateError($template->error()); + $template->process($format->{'template'}, $vars) + || ThrowTemplateError($template->error()); } ################################################################################ diff --git a/template/en/default/request/queue.html.tmpl b/template/en/default/request/queue.html.tmpl index 0ed14bad7..261db0438 100644 --- a/template/en/default/request/queue.html.tmpl +++ b/template/en/default/request/queue.html.tmpl @@ -220,6 +220,8 @@ to some group are shown by default. </tr> [% END %] [% PROCESS display_buglist %] + <br><br> + <a href="request.cgi?[% urlquerypart FILTER html %]&ctype=csv">(view entire list as CSV)</a> [% END %] [% PROCESS global/footer.html.tmpl %] |