From 085c32acdac27c99549dfb1bef50ccb8c3949294 Mon Sep 17 00:00:00 2001
From: Israel Madueme <purelogiq@gmail.com>
Date: Mon, 19 Mar 2018 10:57:17 -0400
Subject: Bug 1440328 - Obfuscate mentor email for users that aren't logged in

---
 template/en/default/bug/activity/table.html.tmpl | 1 +
 1 file changed, 1 insertion(+)

(limited to 'template')

diff --git a/template/en/default/bug/activity/table.html.tmpl b/template/en/default/bug/activity/table.html.tmpl
index 50193f894..101e43546 100644
--- a/template/en/default/bug/activity/table.html.tmpl
+++ b/template/en/default/bug/activity/table.html.tmpl
@@ -107,6 +107,7 @@
                change.fieldname == 'reporter' ||
                change.fieldname == 'qa_contact' ||
                change.fieldname == 'cc' ||
+               change.fieldname == 'bug_mentor' ||
                change.fieldname == 'flagtypes.name' %]
         [% display_value(change.fieldname, change_type) FILTER email FILTER html %]
       [% ELSE %]
-- 
cgit v1.2.3-24-g4f1b


From 40023c4a9f7d949f623b3b6fa90c9cbf5dfc2351 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Tue, 20 Mar 2018 10:06:20 -0400
Subject: Bug 1444008 - Form action injection in Bugzilla /user_profile (leads
 to XSS/single-factor credential leakage)

---
 template/en/default/account/auth/login.html.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'template')

diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl
index 160fad43b..c11a6afc1 100644
--- a/template/en/default/account/auth/login.html.tmpl
+++ b/template/en/default/account/auth/login.html.tmpl
@@ -42,7 +42,7 @@
 </p>
 
 <div id="login" class="login-form">
-  <form name="login" action="[% target FILTER html %]" method="POST"
+  <form name="login" action="[% urlbase %][% target FILTER uri FILTER html %]" method="POST"
         [%- IF Bugzilla.cgi.param("data") %] enctype="multipart/form-data"[% END %]>
     <div class="field-login">
       <label for="Bugzilla_login">Email Address:</label>
-- 
cgit v1.2.3-24-g4f1b


From 24eeb9e547d9a49838dea6c796ede1ce2bcbd5f3 Mon Sep 17 00:00:00 2001
From: Dylan William Hardison <dylan@hardison.net>
Date: Wed, 21 Mar 2018 09:30:20 -0400
Subject: Bug 1444008 - Fix sanity tests for unfiltered urlbase

---
 template/en/default/account/auth/login.html.tmpl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'template')

diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl
index c11a6afc1..8cf5e85ef 100644
--- a/template/en/default/account/auth/login.html.tmpl
+++ b/template/en/default/account/auth/login.html.tmpl
@@ -42,7 +42,7 @@
 </p>
 
 <div id="login" class="login-form">
-  <form name="login" action="[% urlbase %][% target FILTER uri FILTER html %]" method="POST"
+  <form name="login" action="[% urlbase FILTER html %][% target FILTER uri FILTER html %]" method="POST"
         [%- IF Bugzilla.cgi.param("data") %] enctype="multipart/form-data"[% END %]>
     <div class="field-login">
       <label for="Bugzilla_login">Email Address:</label>
-- 
cgit v1.2.3-24-g4f1b


From 9356ed8882760e0b724db963a0dff8f8d1943450 Mon Sep 17 00:00:00 2001
From: Israel Madueme <purelogiq@gmail.com>
Date: Wed, 21 Mar 2018 17:00:33 -0400
Subject: Bug 1447669 - Add localconfig parameter for changing shadowdb user
 and pass

---
 template/en/default/setup/strings.txt.pl | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'template')

diff --git a/template/en/default/setup/strings.txt.pl b/template/en/default/setup/strings.txt.pl
index 9de426972..5fc860519 100644
--- a/template/en/default/setup/strings.txt.pl
+++ b/template/en/default/setup/strings.txt.pl
@@ -268,6 +268,12 @@ END
     localconfig_apache_size_limit => <<EOT,
 This is the max amount of unshared memory the apache process is allowed to use
 before Apache::SizeLimit kills it. This is only applicable when run under mod_perl.
+EOT
+    localconfig_shadowdb_user => <<EOT,
+The username used to authenticate to the shadow db. 
+EOT
+    localconfig_shadowdb_pass => <<EOT,
+The password used to authenticate to the shadow db.
 EOT
     max_allowed_packet => <<EOT,
 WARNING: You need to set the max_allowed_packet parameter in your MySQL
-- 
cgit v1.2.3-24-g4f1b


From 3890e90e2fa0efd0e31c519814c7169f34b52a4e Mon Sep 17 00:00:00 2001
From: Israel Madueme <purelogiq@gmail.com>
Date: Thu, 29 Mar 2018 13:42:05 -0400
Subject: Bug 1200695 - API-key-creation emails should reflect if the action
 was a result of auth delegation

---
 template/en/default/email/new-api-key.txt.tmpl | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'template')

diff --git a/template/en/default/email/new-api-key.txt.tmpl b/template/en/default/email/new-api-key.txt.tmpl
index 4a03fe800..aed904def 100644
--- a/template/en/default/email/new-api-key.txt.tmpl
+++ b/template/en/default/email/new-api-key.txt.tmpl
@@ -26,9 +26,17 @@ or update the key at the following URL:
 
 [%+ urlbase %]userprefs.cgi?tab=apikey
 
+[% IF new_key.app_id == Param('mozreview_app_id') %]
+This API key was automatically created by MozReview. If you did not recently log in to
+MozReview, please disable the key at the above URL, and change your password immediately.
+[% ELSIF new_key.app_id == Param('phabricator_app_id') %]
+This API key was automatically created by Mozilla's Phabricator instance. If you did not recently
+log in to Phabricator, please disable the key at the above URL, and change your password immediately.
+[% ELSE %]
 IMPORTANT: If you did not request a new key, your [% terms.Bugzilla %] account
 may have been compromised. In this case, please disable the key at the above
 URL, and change your password immediately.
+[% END %]
 
 For security reasons, we have not included your new key in this e-mail.
 
-- 
cgit v1.2.3-24-g4f1b