From 40023c4a9f7d949f623b3b6fa90c9cbf5dfc2351 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Tue, 20 Mar 2018 10:06:20 -0400
Subject: Bug 1444008 - Form action injection in Bugzilla /user_profile (leads
 to XSS/single-factor credential leakage)

---
 .htaccess                                                           | 6 +++---
 .../UserProfile/template/en/default/pages/user_profile.html.tmpl    | 2 +-
 template/en/default/account/auth/login.html.tmpl                    | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.htaccess b/.htaccess
index 36195da50..745c57536 100644
--- a/.htaccess
+++ b/.htaccess
@@ -37,9 +37,9 @@ RewriteRule ^new[-_]bug$ new_bug.cgi [L,QSA]
 
 RewriteRule ^template_cache/ - [F,L,NC]
 RewriteRule ^template_cache.deleteme/ - [F,L,NC]
-RewriteRule ^review(.*) page.cgi?id=splinter.html$1 [QSA]
-RewriteRule ^user_?profile(.*) page.cgi?id=user_profile.html$1 [QSA]
-RewriteRule ^request_defer(.*) page.cgi?id=request_defer.html$1 [QSA]
+RewriteRule ^review$ page.cgi?id=splinter.html$1 [QSA]
+RewriteRule ^user_?profile$ page.cgi?id=user_profile.html$1 [QSA]
+RewriteRule ^request_defer$ page.cgi?id=request_defer.html$1 [QSA]
 RewriteRule ^favicon\.ico$ extensions/BMO/web/images/favicon.ico
 RewriteRule ^form[\.:]itrequest$ enter_bug.cgi?product=Infrastructure+\%26+Operations&format=itrequest [QSA]
 RewriteRule ^form[\.:](mozlist|poweredby|presentation|trademark|recoverykey)$ enter_bug.cgi?product=mozilla.org&format=$1 [QSA]
diff --git a/extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl b/extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl
index 27cb825ed..fd72091dc 100644
--- a/extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl
+++ b/extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl
@@ -27,7 +27,7 @@
     <td>&nbsp;</td>
     <th>Search</th>
     <td colspan="2">
-      <form action="user_profile">
+      <form action="[% urlbase %]user_profile">
         [% INCLUDE global/userselect.html.tmpl
           id => "login"
           name => "login"
diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl
index 160fad43b..c11a6afc1 100644
--- a/template/en/default/account/auth/login.html.tmpl
+++ b/template/en/default/account/auth/login.html.tmpl
@@ -42,7 +42,7 @@
 </p>
 
 <div id="login" class="login-form">
-  <form name="login" action="[% target FILTER html %]" method="POST"
+  <form name="login" action="[% urlbase %][% target FILTER uri FILTER html %]" method="POST"
         [%- IF Bugzilla.cgi.param("data") %] enctype="multipart/form-data"[% END %]>
     <div class="field-login">
       <label for="Bugzilla_login">Email Address:</label>
-- 
cgit v1.2.3-24-g4f1b