From dc2a5d920b4bd24949ba224ef2d75af5b2bd14ea Mon Sep 17 00:00:00 2001 From: Dave Lawrence Date: Tue, 31 Jan 2012 11:50:42 -0500 Subject: Bumped to version 4.2rc2 --- Bugzilla/Constants.pm | 2 +- docs/en/xml/Bugzilla-Guide.xml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index e215f7979..84e96fd6a 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2rc1+"; +use constant BUGZILLA_VERSION => "4.2rc2"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; diff --git a/docs/en/xml/Bugzilla-Guide.xml b/docs/en/xml/Bugzilla-Guide.xml index 8ac3389f7..741a09c2f 100644 --- a/docs/en/xml/Bugzilla-Guide.xml +++ b/docs/en/xml/Bugzilla-Guide.xml @@ -32,10 +32,10 @@ For a devel release, simple bump bz-ver and bz-date --> - + - - + + -- cgit v1.2.3-24-g4f1b From 8190b97973f647c8f7b16d9f5e2f0b2092cab49c Mon Sep 17 00:00:00 2001 From: Dave Lawrence Date: Tue, 31 Jan 2012 18:51:03 -0500 Subject: Bump the version number post-release --- Bugzilla/Constants.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 84e96fd6a..f5c3a393b 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2rc2"; +use constant BUGZILLA_VERSION => "4.2rc2+"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; -- cgit v1.2.3-24-g4f1b From 686f3c40af0d189f86af06cc2db3b5c4080164d6 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Wed, 8 Feb 2012 16:51:48 +0100 Subject: Bug 722161: Clickjacking is possible in "View All" with HTML attachments r=dkl a=LpSolit --- skins/standard/attachment.css | 5 +++++ .../en/default/attachment/show-multiple.html.tmpl | 20 ++++++++++++++++---- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/skins/standard/attachment.css b/skins/standard/attachment.css index 287160331..55e62f2b0 100644 --- a/skins/standard/attachment.css +++ b/skins/standard/attachment.css @@ -221,6 +221,11 @@ div#update_container { margin-left: 2%; } +.viewall_frame { + width: 75%; + height: 350px; +} + .details span.bz_private{ border-left: 1px solid darkred; padding-left: 0.5em; diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl index e238e5f49..91768c0d3 100644 --- a/template/en/default/attachment/show-multiple.html.tmpl +++ b/template/en/default/attachment/show-multiple.html.tmpl @@ -88,10 +88,22 @@ [% IF a.is_viewable %] - + [% IF a.contenttype == "text/html" %] + [%# For security reasons (clickjacking, embedded scripts), we never + # render HTML pages from here. The source code is displayed instead. %] + [% INCLUDE global/textarea.html.tmpl + minrows = 10 + cols = 80 + defaultcontent = a.data + readonly = 'readonly' + classes = 'viewall_frame' + %] + [% ELSE %] + + [% END %] [% ELSE %]

Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*. -- cgit v1.2.3-24-g4f1b