From e3209457f2d4a6a134d73d0f0e5069ccfc8f88d0 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Thu, 26 Jan 2017 12:54:38 -0500
Subject: Bug 1334158 - Lightbox images CSP error on bug modal

---
 Bugzilla/CGI.pm | 11 ++++++++++-
 attachment.cgi  |  6 +++---
 post_bug.cgi    |  2 +-
 process_bug.cgi |  3 ++-
 show_bug.cgi    | 12 ++++++++----
 5 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 91dec7e72..556d91441 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -52,9 +52,11 @@ use constant DEFAULT_CSP => (
 # normally the policy would just live in one .cgi file.
 # Additionally, correct_urlbase() cannot be called at compile time, so this can't be a constant.
 sub SHOW_BUG_MODAL_CSP {
-    return (
+    my ($bug_id) = @_;
+    my %policy = (
         script_src  => ['self', 'nonce', 'unsafe-inline', 'unsafe-eval' ],
         object_src  => [correct_urlbase() . "extensions/BugModal/web/ZeroClipboard/ZeroClipboard.swf"],
+        img_src     => [ 'self', 'https://secure.gravatar.com' ],
         connect_src => [
             'self',
             # This is from extensions/OrangeFactor/web/js/orange_factor.js
@@ -66,6 +68,13 @@ sub SHOW_BUG_MODAL_CSP {
             'https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm'
         ],
     );
+    if (use_attachbase() && $bug_id) {
+        my $attach_base = Bugzilla->params->{'attachment_base'};
+        $attach_base =~ s/\%bugid\%/$bug_id/g;
+        push @{ $policy{img_src} }, $attach_base;
+    }
+
+    return %policy;
 }
 
 sub _init_bz_cgi_globals {
diff --git a/attachment.cgi b/attachment.cgi
index d228c9c7f..53c817d08 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -633,7 +633,7 @@ sub insert {
   Bugzilla::Hook::process('show_bug_format', $show_bug_format);
 
   if ($show_bug_format->{format} eq 'modal') {
-      $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
+      $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bugid));
   }
 
   print $cgi->header();
@@ -797,7 +797,7 @@ sub update {
     Bugzilla::Hook::process('show_bug_format', $show_bug_format);
 
     if ($show_bug_format->{format} eq 'modal') {
-        $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
+        $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug->id));
     }
 
     print $cgi->header();
@@ -872,7 +872,7 @@ sub delete_attachment {
         Bugzilla::Hook::process('show_bug_format', $show_bug_format);
 
         if ($show_bug_format->{format} eq 'modal') {
-            $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
+            $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug->id));
         }
 
         print $cgi->header();
diff --git a/post_bug.cgi b/post_bug.cgi
index bbba125c1..238ff6e1a 100755
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -265,7 +265,7 @@ $format = $template->get_format("bug/create/created",
 $cgi->delete('format');
 
 if ($user->setting('ui_experiments') eq 'on') {
-    Bugzilla->cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
+    Bugzilla->cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug->id));
 }
 print $cgi->header();
 $template->process($format->{'template'}, $vars)
diff --git a/process_bug.cgi b/process_bug.cgi
index ac8e32c53..49ac28fc0 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -420,7 +420,8 @@ my $format_params = {
 };
 Bugzilla::Hook::process('show_bug_format', $format_params);
 if ($format_params->{format} eq 'modal') {
-    $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
+    my $bug_id = $vars->{bug} ? $vars->{bug}->id : undef;
+    $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug_id));
 }
 my $format = $template->get_format("bug/show",
                                    $format_params->{format},
diff --git a/show_bug.cgi b/show_bug.cgi
index d4e6ea771..d2695a66f 100755
--- a/show_bug.cgi
+++ b/show_bug.cgi
@@ -20,6 +20,7 @@ use Bugzilla::Keyword;
 use Bugzilla::Bug;
 use Bugzilla::Hook;
 use Bugzilla::CGI;
+use Bugzilla::Util qw(detaint_natural);
 
 my $cgi = Bugzilla->cgi;
 my $template = Bugzilla->template;
@@ -37,10 +38,6 @@ my $format = $template->get_format("bug/show",
                                    $format_params->{format},
                                    $format_params->{ctype});
 
-if ($format_params->{format} eq 'modal') {
-    $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
-}
-
 # Editable, 'single' HTML bugs are treated slightly specially in a few places
 my $single = (!$format->{format} || $format->{format} ne 'multiple')
              && $format->{extension} eq 'html';
@@ -53,6 +50,13 @@ if (!$cgi->param('id') && $single) {
     exit;
 }
 
+if ($format_params->{format} eq 'modal') {
+    my $bug_id = $cgi->param('id');
+    detaint_natural($bug_id);
+    $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug_id));
+}
+
+
 my @bugs;
 my %marks;
 
-- 
cgit v1.2.3-24-g4f1b