summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-xbuglist.cgi10
-rw-r--r--template/en/default/list/list.js.tmpl5
2 files changed, 15 insertions, 0 deletions
diff --git a/buglist.cgi b/buglist.cgi
index fa664c251..1c5161481 100755
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -88,6 +88,16 @@ if ($::FORM{'format'} && $::FORM{'format'} eq "rdf" && !$::FORM{'ctype'}) {
delete($::FORM{'format'});
}
+# The js ctype presents a security risk; a malicious site could use it
+# to gather information about secure bugs. So, we only allow public bugs to be
+# retrieved with this format.
+#
+# Note that if and when this call clears cookies or has other persistent
+# effects, we'll need to do this another way instead.
+if ($::FORM{'ctype'} eq "js") {
+ Bugzilla->logout();
+}
+
# Determine the format in which the user would like to receive the output.
# Uses the default format if the user did not specify an output format;
# otherwise validates the user's choice against the list of available formats.
diff --git a/template/en/default/list/list.js.tmpl b/template/en/default/list/list.js.tmpl
index 8dde0c5b7..e6bc794c2 100644
--- a/template/en/default/list/list.js.tmpl
+++ b/template/en/default/list/list.js.tmpl
@@ -18,6 +18,11 @@
#
# Contributor(s): Gervase Markham <gerv@gerv.net>
#%]
+
+// Note: only publicly-accessible bugs (those not in any group) will be
+// listed when using this JavaScript format. This is to prevent malicious
+// sites stealing information about secure bugs.
+
bugs = new Array;
[% FOREACH bug = bugs %]