From 811987d677a4117f09b032e3935aff9accdc133d Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Wed, 18 Apr 2012 18:58:04 +0200 Subject: Bug 745397: (CVE-2012-0466) [SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see r=glob a=LpSolit --- buglist.cgi | 10 ---------- docs/en/xml/using.xml | 10 ---------- template/en/default/list/list.js.tmpl | 25 ------------------------- 3 files changed, 45 deletions(-) delete mode 100644 template/en/default/list/list.js.tmpl diff --git a/buglist.cgi b/buglist.cgi index 79bf94381..885e50478 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -95,16 +95,6 @@ if (defined $cgi->param('ctype') && $cgi->param('ctype') eq "rss") { $cgi->param('ctype', "atom"); } -# The js ctype presents a security risk; a malicious site could use it -# to gather information about secure bugs. So, we only allow public bugs to be -# retrieved with this format. -# -# Note that if and when this call clears cookies or has other persistent -# effects, we'll need to do this another way instead. -if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) { - Bugzilla->logout_request(); -} - # An agent is a program that automatically downloads and extracts data # on its user's behalf. If this request comes from an agent, we turn off # various aspects of bug list functionality so agent requests succeed diff --git a/docs/en/xml/using.xml b/docs/en/xml/using.xml index cf59e8d4d..9f4fc2777 100644 --- a/docs/en/xml/using.xml +++ b/docs/en/xml/using.xml @@ -671,16 +671,6 @@ - - - If you would like to access the bug list from another program - it is often useful to have the list returned in something other - than HTML. By adding the ctype=type parameter into the bug list URL - you can specify several alternate formats. Besides the types described - above, the following formats are also supported: ECMAScript, also known - as JavaScript (ctype=js), and Resource Description Framework RDF/XML - (ctype=rdf). -
diff --git a/template/en/default/list/list.js.tmpl b/template/en/default/list/list.js.tmpl deleted file mode 100644 index 8795b1cf5..000000000 --- a/template/en/default/list/list.js.tmpl +++ /dev/null @@ -1,25 +0,0 @@ -[%# This Source Code Form is subject to the terms of the Mozilla Public - # License, v. 2.0. If a copy of the MPL was not distributed with this - # file, You can obtain one at http://mozilla.org/MPL/2.0/. - # - # This Source Code Form is "Incompatible With Secondary Licenses", as - # defined by the Mozilla Public License, v. 2.0. - #%] - -// Note: only publicly-accessible bugs (those not in any group) will be -// listed when using this JavaScript format. This is to prevent malicious -// sites stealing information about secure bugs. - -bugs = new Array; - -[% FOREACH bug = bugs %] - bugs[[% bug.bug_id %]] = [ - [% FOREACH column = displaycolumns %] - "[%- bug.$column FILTER js -%]"[% "," UNLESS loop.last %] - [% END %] - ]; -[% END %] - -if (window.buglistCallback) { - buglistCallback(bugs); -} -- cgit v1.2.3-24-g4f1b