From 26728e3c1659d7831e5a05ae26f929854ab7796c Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Thu, 24 Jul 2014 16:56:58 +0000 Subject: Bump version to 4.2.10 --- Bugzilla/Constants.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 778870e5f..777d8ce7d 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2.9+"; +use constant BUGZILLA_VERSION => "4.2.10"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; -- cgit v1.2.3-24-g4f1b From f0760dd1c4ce87bf7fa5f8ce70cc7c8a45041a6b Mon Sep 17 00:00:00 2001 From: Simon Green Date: Thu, 24 Jul 2014 17:26:23 +0000 Subject: Bug 1036213 - (CVE-2014-1546) add '/**/' before jsonrpc.cgi callback to avoid swf content type sniff vulnerability r=glob,a=sgreen --- Bugzilla/WebService/Server/JSONRPC.pm | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index cec1c29ea..373aa4fe0 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -91,8 +91,9 @@ sub response { # Implement JSONP. if (my $callback = $self->_bz_callback) { my $content = $response->content; - $response->content("$callback($content)"); - + # Prepend the JSONP response with /**/ in order to protect + # against possible encoding attacks (e.g., affecting Flash). + $response->content("/**/$callback($content)"); } # Use $cgi->header properly instead of just printing text directly. -- cgit v1.2.3-24-g4f1b From de260ab8ecc7dfa27ccdb3bd98d0eff47bc6d3ca Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Thu, 24 Jul 2014 17:29:05 +0000 Subject: Bump to version 4.2.10 (corrected) --- Bugzilla/Constants.pm | 1 + 1 file changed, 1 insertion(+) (limited to 'Bugzilla') diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 777d8ce7d..cd49bfb18 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -204,6 +204,7 @@ use Memoize; # Bugzilla version use constant BUGZILLA_VERSION => "4.2.10"; + # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; use constant LOCAL_FILE => 'bugzilla-update.xml'; # Relative to datadir. -- cgit v1.2.3-24-g4f1b From 48fa3154ff61647f9935106885845e28b38a5910 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Thu, 24 Jul 2014 21:40:52 +0000 Subject: Bump version post-release --- Bugzilla/Constants.pm | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index cd49bfb18..fd110dc3a 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,8 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2.10"; - +use constant BUGZILLA_VERSION => "4.2.10+"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; -- cgit v1.2.3-24-g4f1b From ce590bf022ef6c2fc0c0c902d773ec7a53e7e4ad Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Mon, 6 Oct 2014 14:25:06 +0000 Subject: Bug 1075578: [SECURITY] Improper filtering of CGI arguments r=dkl,a=sgreen --- Bugzilla/Attachment.pm | 13 +++++++------ Bugzilla/Chart.pm | 7 +++---- 2 files changed, 10 insertions(+), 10 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Attachment.pm b/Bugzilla/Attachment.pm index 69939a657..fa8845358 100644 --- a/Bugzilla/Attachment.pm +++ b/Bugzilla/Attachment.pm @@ -911,10 +911,12 @@ sub get_content_type { return 'text/plain' if ($cgi->param('ispatch') || $cgi->param('attach_text')); my $content_type; - if (!defined $cgi->param('contenttypemethod')) { + my $method = $cgi->param('contenttypemethod'); + + if (!defined $method) { ThrowUserError("missing_content_type_method"); } - elsif ($cgi->param('contenttypemethod') eq 'autodetect') { + elsif ($method eq 'autodetect') { defined $cgi->upload('data') || ThrowUserError('file_not_specified'); # The user asked us to auto-detect the content type, so use the type # specified in the HTTP request headers. @@ -935,18 +937,17 @@ sub get_content_type { $content_type = 'image/png'; } } - elsif ($cgi->param('contenttypemethod') eq 'list') { + elsif ($method eq 'list') { # The user selected a content type from the list, so use their # selection. $content_type = $cgi->param('contenttypeselection'); } - elsif ($cgi->param('contenttypemethod') eq 'manual') { + elsif ($method eq 'manual') { # The user entered a content type manually, so use their entry. $content_type = $cgi->param('contenttypeentry'); } else { - ThrowCodeError("illegal_content_type_method", - { contenttypemethod => $cgi->param('contenttypemethod') }); + ThrowCodeError("illegal_content_type_method", { contenttypemethod => $method }); } return $content_type; } diff --git a/Bugzilla/Chart.pm b/Bugzilla/Chart.pm index dfbf32a51..8fd4706e4 100644 --- a/Bugzilla/Chart.pm +++ b/Bugzilla/Chart.pm @@ -110,10 +110,9 @@ sub init { if ($self->{'datefrom'} && $self->{'dateto'} && $self->{'datefrom'} > $self->{'dateto'}) { - ThrowUserError("misarranged_dates", - {'datefrom' => $cgi->param('datefrom'), - 'dateto' => $cgi->param('dateto')}); - } + ThrowUserError('misarranged_dates', { 'datefrom' => scalar $cgi->param('datefrom'), + 'dateto' => scalar $cgi->param('dateto') }); + } } # Alter Chart so that the selected series are added to it. -- cgit v1.2.3-24-g4f1b From 976dc12e4ed769bc02ffeb2be03bb1720e885135 Mon Sep 17 00:00:00 2001 From: Simon Green Date: Mon, 6 Oct 2014 14:42:40 +0000 Subject: Bug 1064140: [SECURITY] Private comments can be shown to flagmail recipients who aren't in the insider group r=glob,a=glob --- Bugzilla/Bug.pm | 15 +++++++++------ Bugzilla/Flag.pm | 28 +++++++++++++++++++++------- 2 files changed, 30 insertions(+), 13 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Bug.pm b/Bugzilla/Bug.pm index 7b86ab2a1..90bd8b66d 100644 --- a/Bugzilla/Bug.pm +++ b/Bugzilla/Bug.pm @@ -908,12 +908,6 @@ sub update { join(', ', @added_names)]; } - # Flags - my ($removed, $added) = Bugzilla::Flag->update_flags($self, $old_bug, $delta_ts); - if ($removed || $added) { - $changes->{'flagtypes.name'} = [$removed, $added]; - } - # Comments foreach my $comment (@{$self->{added_comments} || []}) { # Override the Comment's timestamp to be identical to the update @@ -936,6 +930,9 @@ sub update { Bugzilla->user->id, $delta_ts, $comment->id); } + # Clear the cache of comments + delete $self->{comments}; + # Insert the values into the multiselect value tables my @multi_selects = grep {$_->type == FIELD_TYPE_MULTI_SELECT} Bugzilla->active_custom_fields; @@ -971,6 +968,12 @@ sub update { $_->update foreach @{ $self->{_update_ref_bugs} || [] }; delete $self->{_update_ref_bugs}; + # Flags + my ($removed, $added) = Bugzilla::Flag->update_flags($self, $old_bug, $delta_ts); + if ($removed || $added) { + $changes->{'flagtypes.name'} = [$removed, $added]; + } + # Log bugs_activity items # XXX Eventually, when bugs_activity is able to track the dupe_id, # this code should go below the duplicates-table-updating code below. diff --git a/Bugzilla/Flag.pm b/Bugzilla/Flag.pm index a727532a6..b687532c0 100644 --- a/Bugzilla/Flag.pm +++ b/Bugzilla/Flag.pm @@ -975,18 +975,32 @@ sub notify { $default_lang = Bugzilla::User->new()->setting('lang'); } + # Get comments on the bug + my $all_comments = $bug->comments({ after => $bug->lastdiffed }); + @$all_comments = grep { $_->type || $_->body =~ /\S/ } @$all_comments; + + # Get public only comments + my $public_comments = [ grep { !$_->is_private } @$all_comments ]; + foreach my $to (keys %recipients) { # Add threadingmarker to allow flag notification emails to be the # threaded similar to normal bug change emails. my $thread_user_id = $recipients{$to} ? $recipients{$to}->id : 0; - my $vars = { 'flag' => $flag, - 'old_flag' => $old_flag, - 'to' => $to, - 'date' => $timestamp, - 'bug' => $bug, - 'attachment' => $attachment, - 'threadingmarker' => build_thread_marker($bug->id, $thread_user_id) }; + # We only want to show private comments to users in the is_insider group + my $comments = $recipients{$to} && $recipients{$to}->is_insider + ? $all_comments : $public_comments; + + my $vars = { + flag => $flag, + old_flag => $old_flag, + to => $to, + date => $timestamp, + bug => $bug, + attachment => $attachment, + threadingmarker => build_thread_marker($bug->id, $thread_user_id), + new_comments => $comments, + }; my $lang = $recipients{$to} ? $recipients{$to}->setting('lang') : $default_lang; -- cgit v1.2.3-24-g4f1b From 0ec036b02e033a63deacd9a7ca8af7c77394c45f Mon Sep 17 00:00:00 2001 From: Simon Green Date: Mon, 6 Oct 2014 15:01:03 +0000 Subject: Bug 1054702: CSV export vulnerable to formulae injection r=glob,a=glob --- Bugzilla/Template.pm | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 98be21d55..7fd3f0e8d 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -738,10 +738,12 @@ sub create { }, # In CSV, quotes are doubled, and any value containing a quote or a - # comma is enclosed in quotes. + # comma is enclosed in quotes. If a field starts with an equals + # sign, it is proceed by a space. csv => sub { my ($var) = @_; + $var = ' ' . $var if substr($var, 0, 1) eq '='; $var =~ s/\"/\"\"/g; if ($var !~ /^-?(\d+\.)?\d*$/) { $var = "\"$var\""; -- cgit v1.2.3-24-g4f1b From 3e1e67bed36bbe454c654f1e0a16ce73e724a5e0 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Mon, 6 Oct 2014 15:21:27 +0000 Subject: Bump version to 4.2.11 --- Bugzilla/Constants.pm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Bugzilla') diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index fd110dc3a..862c18917 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2.10+"; +use constant BUGZILLA_VERSION => "4.2.11"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; -- cgit v1.2.3-24-g4f1b