From fbb0dd18cbf1ddf2e63c2db7c0bce98001a704ea Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 13 Nov 2012 18:09:30 +0100 Subject: Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see r=dkl a=LpSolit --- template/en/default/bug/edit.html.tmpl | 12 ++++++------ template/en/default/bug/field-events.js.tmpl | 18 +++++++++++++++--- 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl index bdee83806..fbc6e4a96 100644 --- a/template/en/default/bug/edit.html.tmpl +++ b/template/en/default/bug/edit.html.tmpl @@ -30,9 +30,8 @@ [% PROCESS bug/time.html.tmpl %] - +[% END %] +//--> +
diff --git a/template/en/default/bug/field-events.js.tmpl b/template/en/default/bug/field-events.js.tmpl index 13ec18d38..f1d5afd32 100644 --- a/template/en/default/bug/field-events.js.tmpl +++ b/template/en/default/bug/field-events.js.tmpl @@ -24,11 +24,23 @@ #%] [% FOREACH controlled_field = field.controls_visibility_of %] + [% vis_names = [] %] + [% FOREACH visibility_value = controlled_field.visibility_values %] + [%# Exclude non-enterable products and components outside the current product. %] + [% NEXT IF field.name == "product" + && visibility_value.id != product.id + && !user.can_enter_product(visibility_value) %] + [% NEXT IF field.name == "component" && visibility_value.product_id != product.id %] + [% vis_names.push(visibility_value.name) %] + [% END %] + + [% NEXT UNLESS vis_names.size %] + showFieldWhen('[% controlled_field.name FILTER js %]', '[% field.name FILTER js %]', [ - [%- FOREACH visibility_value = controlled_field.visibility_values -%] - '[%- visibility_value.name FILTER js -%]'[% "," UNLESS loop.last %] - [%- END %] + [%~ FOREACH vis_name = vis_names ~%] + '[% vis_name FILTER js %]'[% "," UNLESS loop.last %] + [%~ END ~%] ]); [% END %] -- cgit v1.2.3-24-g4f1b