From fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d Mon Sep 17 00:00:00 2001
From: Simon Green <sgreen@redhat.com>
Date: Mon, 6 Oct 2014 14:49:38 +0000
Subject: Bug 1064140: [SECURITY] Private comments can be shown to flagmail
 recipients who aren't in the insider group r=glob,a=glob

---
 template/en/default/email/flagmail.txt.tmpl | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

(limited to 'template/en/default/email')

diff --git a/template/en/default/email/flagmail.txt.tmpl b/template/en/default/email/flagmail.txt.tmpl
index d0e1395e2..cf64d9661 100644
--- a/template/en/default/email/flagmail.txt.tmpl
+++ b/template/en/default/email/flagmail.txt.tmpl
@@ -68,11 +68,14 @@ Attachment [% attidsummary %]
 
 [%- FILTER bullet = wrap(80) %]
 
-[% USE Bugzilla %]
-[%-# .defined is necessary to avoid a taint issue, see bug 509794. %]
-[% IF Bugzilla.cgi.param("comment").defined && Bugzilla.cgi.param("comment").length > 0 %]
-------- Additional Comments from [% user.identity %]
-[%+ Bugzilla.cgi.param("comment") FILTER strip_control_chars %]
+[% FOREACH comment = new_comments %]
+
+[%- IF comment.count %]
+--- Comment #[% comment.count %] from [% comment.author.identity %] ---
+[% ELSE %]
+--- Description ---
+[% END %]
+[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) FILTER strip_control_chars %]
 [% END %]
 
 [%- END %]
-- 
cgit v1.2.3-24-g4f1b