From 1b925f4bdf4fef4b0f6a115223d6d1bb68ece52f Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 13 Nov 2012 18:06:13 +0100
Subject: Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses
 product and component names that the user is not allowed to see r=dkl
 a=LpSolit

---
 template/en/default/bug/edit.html.tmpl       | 11 ++++++-----
 template/en/default/bug/field-events.js.tmpl | 18 +++++++++++++++---
 2 files changed, 21 insertions(+), 8 deletions(-)

(limited to 'template')

diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl
index e11e244f6..de9afb56c 100644
--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -8,8 +8,8 @@
 
 [% PROCESS bug/time.html.tmpl %]
 
-  <script type="text/javascript">
-  <!--
+<script type="text/javascript">
+<!--
 [% IF user.is_timetracker %]
   var fRemainingTime = [% bug.remaining_time %]; // holds the original value
   function adjustRemainingTime() {
@@ -30,6 +30,7 @@
   }
 [% END %]
 
+[% IF user.id %]
   /* Index all classifications so we can keep track of the classification
    * for the selected product, which could control field visibility.
    */
@@ -38,9 +39,9 @@
       all_classifications['[% product.name FILTER js %]'] = '
           [%- product.classification.name FILTER js %]';
   [%- END %]
-
-  //-->
-  </script>
+[% END %]
+//-->
+</script>
 
 <form name="changeform" id="changeform" method="post" action="process_bug.cgi">
 
diff --git a/template/en/default/bug/field-events.js.tmpl b/template/en/default/bug/field-events.js.tmpl
index 003391c34..d37f4257c 100644
--- a/template/en/default/bug/field-events.js.tmpl
+++ b/template/en/default/bug/field-events.js.tmpl
@@ -13,11 +13,23 @@
   #%]
 
 [% FOREACH controlled_field = field.controls_visibility_of %]
+  [% vis_names = [] %]
+  [% FOREACH visibility_value = controlled_field.visibility_values %]
+    [%# Exclude non-enterable products and components outside the current product. %]
+    [% NEXT IF field.name == "product"
+               && visibility_value.id != product.id
+               && !user.can_enter_product(visibility_value) %]
+    [% NEXT IF field.name == "component" && visibility_value.product_id != product.id %]
+    [% vis_names.push(visibility_value.name) %]
+  [% END %]
+
+  [% NEXT UNLESS vis_names.size %]
+
   showFieldWhen('[% controlled_field.name FILTER js %]',
                 '[% field.name FILTER js %]', [
-  [%- FOREACH visibility_value = controlled_field.visibility_values -%]
-    '[%- visibility_value.name FILTER js -%]'[% "," UNLESS loop.last %]
-  [%- END %]
+                [%~ FOREACH vis_name = vis_names ~%]
+                  '[% vis_name FILTER js %]'[% "," UNLESS loop.last %]
+                [%~ END ~%]
   ]);
 [% END %]
 
-- 
cgit v1.2.3-24-g4f1b