From f3b17d9f5351d9eca8d2c7f0feb272432fc398c9 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Sat, 12 Oct 2013 00:13:42 +0200
Subject: Bug 912640: Release notes for Bugzilla 4.2.7 r=dkl a=LpSolit

---
 template/en/default/pages/release-notes.html.tmpl | 30 +++++++++++++++++++++++
 1 file changed, 30 insertions(+)

(limited to 'template')

diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl
index 3d5b36b45..ebc08afb1 100644
--- a/template/en/default/pages/release-notes.html.tmpl
+++ b/template/en/default/pages/release-notes.html.tmpl
@@ -53,6 +53,36 @@
 
 <h2 id="v42_point">Updates in this 4.2.x Release</h2>
 
+<h3>4.2.7</h3>
+
+<p>This release fixes several security issues. See the
+  <a href="http://www.bugzilla.org/security/4.0.10/">Security Advisory</a>
+  for details.</p>
+
+<p>In addition, the following [% terms.bugs %] have been fixed in this release:</p>
+
+<ul>
+  <li>Internet Explorer 11 and KHTML-based browsers such as Konqueror can now
+    display buglists correctly.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=902515">[% terms.Bug %] 902515</a> and
+    <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=914262">[% terms.bug %] 914262</a>)</li>
+  <li>When the <kbd>password_complexity</kbd> parameter was set to
+    'letters_numbers_specialchars', passwords containing numbers and special
+    characters only were accepted. Now it makes sure that a letter is also present.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=897264">[% terms.Bug %] 897264</a>)</li>
+  <li>With DB servers doing case-insensitive comparisons, such as MySQL, tokens
+    and login cookies were not correctly validated as the case was ignored.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=906745">[% terms.Bug %] 906745</a> and
+    <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=907438">[% terms.bug %] 907438</a>)</li>
+  <li>All security headers (such as X-Frame-Options) are now returned when using XML-RPC.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=787328">[% terms.Bug %] 787328</a>)</li>
+  <li>Oracle crashed when reporting a new [% terms.bug %] if a custom free-text field
+    was non-mandatory and left empty.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=919475">[% terms.Bug %] 919475</a>)</li>
+  <li>It was not possible to import [% terms.bugs %] using <kbd>importxml.pl</kbd> with Oracle.
+    (<a href="https://bugzilla.mozilla.org/show_bug.cgi?id=848063">[% terms.Bug %] 848063</a>)</li>
+</ul>
+
 <h3>4.2.6</h3>
 
 <p>The following important fixes/changes have been made in this release:</p>
-- 
cgit v1.2.3-24-g4f1b


From 3771585c730f31f36a5efa3bd6b053ddf66bb2ba Mon Sep 17 00:00:00 2001
From: Dave Lawrence <dlawrence@mozilla.com>
Date: Wed, 16 Oct 2013 12:05:10 -0400
Subject: Bug 906745 - In MySQL, tokens are not case-sensitive, reducing total
 entropy and allowing easier brute force r=LpSolit,a=glob

---
 template/en/default/global/code-error.html.tmpl | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'template')

diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 24e46fb14..877fe8d66 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -438,6 +438,9 @@
   [% ELSIF error == "token_generation_error" %]
     Something is seriously wrong with the token generation system.
 
+  [% ELSIF error == "cancel_token_does_not_exist" %]
+    The token to be cancelled does not exist.
+
   [% ELSIF error == "template_error" %]
     [% template_error_msg FILTER html %]
 
-- 
cgit v1.2.3-24-g4f1b


From 53eeca9fc9a12ae23a0aa66f1b38021e93d4f03c Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 16 Oct 2013 19:19:12 +0200
Subject: Bug 924802: (CVE-2013-1742) [SECURITY] (XSS) "id" and "sortkey" are
 not sanitized when editing flag types if categoryAction-foo is set r=dkl
 a=glob

---
 template/en/default/admin/flag-type/edit.html.tmpl | 6 +++---
 template/en/default/filterexceptions.pl            | 2 --
 2 files changed, 3 insertions(+), 5 deletions(-)

(limited to 'template')

diff --git a/template/en/default/admin/flag-type/edit.html.tmpl b/template/en/default/admin/flag-type/edit.html.tmpl
index 2cb985a47..de0476e19 100644
--- a/template/en/default/admin/flag-type/edit.html.tmpl
+++ b/template/en/default/admin/flag-type/edit.html.tmpl
@@ -52,7 +52,7 @@
 <form id="flagtype_properties" method="post" action="editflagtypes.cgi">
   <input type="hidden" name="action" value="[% action FILTER html %]">
   <input type="hidden" name="can_fully_edit" value="[% can_fully_edit FILTER html %]">
-  <input type="hidden" name="id" value="[% type.id %]">
+  <input type="hidden" name="id" value="[% type.id FILTER html %]">
   <input type="hidden" name="token" value="[% token FILTER html %]">
   <input type="hidden" name="target_type" value="[% type.target_type FILTER html %]">
   <input type="hidden" name="check_clusions" value="[% check_clusions FILTER none %]">
@@ -149,8 +149,8 @@
         this type will be sorted when displayed to users in a list; ignore if you
         don't care what order the types appear in or if you want them to appear
         in alphabetical order.<br>
-        <input type="text" name="sortkey" value="[% type.sortkey || 1 %]" size="5" maxlength="5"
-               [%- ' disabled="disabled"' UNLESS can_fully_edit %]>
+        <input type="text" name="sortkey" value="[% type.sortkey || 1 FILTER html %]" size="5"
+               maxlength="5" [% ' disabled="disabled"' UNLESS can_fully_edit %]>
       </td>
     </tr>
 
diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl
index 691241c9c..897ab148e 100644
--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -410,8 +410,6 @@
 ],
 
 'admin/flag-type/edit.html.tmpl' => [
-  'type.id', 
-  'type.sortkey || 1',
   'selname',
 ],
 
-- 
cgit v1.2.3-24-g4f1b


From 3b9eb2e03904a12cf38268b2527742e5ede7f305 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 16 Oct 2013 19:26:25 +0200
Subject: Bug 924932: (CVE-2013-1743) [SECURITY] Field values are (still) not
 escaped correctly in tabular reports r=dkl a=glob

---
 template/en/default/reports/report-table.html.tmpl | 38 ++++++++++++++--------
 1 file changed, 24 insertions(+), 14 deletions(-)

(limited to 'template')

diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl
index b41753550..cef47c2d9 100644
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -47,32 +47,42 @@
 [% END %]
 
 <script type="text/javascript">
+function bz_encode (str, decode) {
+  // First decode HTML entities, if requested.
+  if (decode)
+    str = str.replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, '"')
+             .replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/\s+$/,"");
+
+  // encodeURIComponent() doesn't escape single quotes.
+  return encodeURIComponent(str).replace(/'/g, escape);
+};
+
 YAHOO.util.Event.addListener(window, "load", function() {
   this.Linkify = function(elLiner, oRecord, oColumn, oData) {
     if (oData == 0)
       elLiner.innerHTML = ".";
     else if (oRecord.getData("row_title") == "Total")
-      elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% col_field FILTER js %]="
-                          + oColumn.field + "[% '&amp;' _ row_vals IF row_vals %]'>"
-                          + oData + "</a>";
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% col_field FILTER uri FILTER js %]='
+                          + bz_encode(oColumn.field)
+                          + '[% "&amp;" _ row_vals IF row_vals %]">' + oData + '</a>';
     else
-      elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% row_field FILTER js %]="
-                          + oRecord.getData("row_title").replace(/\s+$/,"")
-                          + "&amp;[% col_field FILTER js %]=" + oColumn.field
-                          + "'>" + oData + "</a>";
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% row_field FILTER uri FILTER js %]='
+                          + bz_encode(oRecord.getData("row_title"), 1)
+                          + '&amp;[% col_field FILTER uri FILTER js %]='
+                          + bz_encode(oColumn.field) + '">' + oData + '</a>';
   };
 
   this.LinkifyTotal = function(elLiner, oRecord, oColumn, oData) {
     if (oData == 0)
       elLiner.innerHTML = ".";
     else if (oRecord.getData("row_title") == "Total")
-      elLiner.innerHTML = "<a href='[% urlbase %][% '&amp;' _ row_vals IF row_vals %]
-                          [%~ '&amp;' _ col_vals IF col_vals %]'>"
-                          + oData + "</a>";
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %][% "&amp;" _ row_vals IF row_vals %]
+                          [%~ "&amp;" _ col_vals IF col_vals %]">'
+                          + oData + '</a>';
     else
-      elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% row_field FILTER js %]="
-                          + oRecord.getData("row_title").replace(/\s+$/,"")
-                          + "[% '&amp;' _ col_vals IF col_vals %]'>" + oData + "</a>";
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% row_field FILTER uri FILTER js %]='
+                          + bz_encode(oRecord.getData("row_title"), 1)
+                          + '[% "&amp;" _ col_vals IF col_vals %]">' + oData + '</a>';
 
     YAHOO.util.Dom.addClass(elLiner.parentNode, "ttotal");
   };
@@ -164,7 +174,7 @@ YAHOO.util.Event.addListener(window, "load", function() {
 [% col_idx = 0 %]
 [% row_idx = 0 %]
 [% grand_total = 0 %]
-<div id="tabular_report_container_[% tbl FILTER js %]">
+<div id="tabular_report_container_[% tbl FILTER html %]">
 <table id="tabular_report" border="1">
   [% IF col_field %]
     <thead>
-- 
cgit v1.2.3-24-g4f1b