From 9244270a7d1ca49e315a98c24d51bf405bfa2880 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Mon, 24 Jan 2011 19:29:39 +0100 Subject: Bug 619588: (CVE-2010-4567) [SECURITY] Safety checks that disallow clicking for javascript: or data: URLs in the URL field can be evaded with prefixed whitespace and Bug 628034: (CVE-2011-0048) [SECURITY] For not-logged-in users, the URL field doesn't safeguard against javascript: or data: URLs r=dkl a=LpSolit --- template/en/default/attachment/edit.html.tmpl | 5 +---- template/en/default/bug/edit.html.tmpl | 10 ++++------ template/en/default/bug/show-multiple.html.tmpl | 6 +++--- 3 files changed, 8 insertions(+), 13 deletions(-) (limited to 'template') diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl index 56d2b8a80..eeebcffae 100644 --- a/template/en/default/attachment/edit.html.tmpl +++ b/template/en/default/attachment/edit.html.tmpl @@ -185,10 +185,7 @@ defaultcontent = (attachment.contenttype.match('^text\/')) ? attachment.data.replace('(.*\n|.+)', '>$1') : undef %] - [%# The regexp is stolen from quoteUrls(), see Template.pm %] - [% safe_protocols = constants.SAFE_PROTOCOLS.join('|') %] - [% IF attachment.contenttype == 'text/plain' - && attachment.data.match("^($safe_protocols):" _ '[^\s<>\"]+[\w\/]$') %] + [% IF attachment.contenttype == 'text/plain' AND is_safe_url(attachment.data) %]

[% IF attachment.datasize < 120 %] diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl index 1ae71b299..0aa5f80af 100644 --- a/template/en/default/bug/edit.html.tmpl +++ b/template/en/default/bug/edit.html.tmpl @@ -555,12 +555,10 @@ [%# Block for URL Keyword and Whiteboard #%] [%############################################################################%] [% BLOCK section_url_keyword_whiteboard %] -[%# *** URL Whiteboard Keywords *** %] URL [% ELSE %] URL @@ -570,8 +568,7 @@ [% IF bug.check_can_change_field("bug_file_loc", 0, 1) %] - [% IF bug.bug_file_loc - AND NOT bug.bug_file_loc.match("^(javascript|data)") %] + [% IF is_safe_url(bug.bug_file_loc) %] [% bug.bug_file_loc FILTER truncate(40) FILTER html %] @@ -582,7 +579,8 @@ [% END %] [% url_output = PROCESS input no_td=1 inputname => "bug_file_loc" size => "40" colspan => 2 %] - [% IF NOT bug.check_can_change_field("bug_file_loc", 0, 1) %] + [% IF NOT bug.check_can_change_field("bug_file_loc", 0, 1) + AND is_safe_url(bug.bug_file_loc) %] [% url_output FILTER none %] [% ELSE %] [% url_output FILTER none %] diff --git a/template/en/default/bug/show-multiple.html.tmpl b/template/en/default/bug/show-multiple.html.tmpl index 56f732667..33dde14a3 100644 --- a/template/en/default/bug/show-multiple.html.tmpl +++ b/template/en/default/bug/show-multiple.html.tmpl @@ -163,11 +163,11 @@ [% field_descs.bug_file_loc FILTER html %]: - [% IF bug.bug_file_loc.match("^(javascript|data)") %] - [% bug.bug_file_loc FILTER html %] - [% ELSE %] + [% IF is_safe_url(bug.bug_file_loc) %] [% bug.bug_file_loc FILTER html %] + [% ELSE %] + [% bug.bug_file_loc FILTER html %] [% END %] -- cgit v1.2.3-24-g4f1b