Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product…

template/en/default/bug/edit.html.tmpl

@@ -8,8 +8,8 @@
 
 [% PROCESS bug/time.html.tmpl %]
 
-  <script type="text/javascript">
-  <!--
+<script type="text/javascript">
+<!--
 [% IF user.is_timetracker %]
   var fRemainingTime = [% bug.remaining_time %]; // holds the original value
   function adjustRemainingTime() {
@@ -30,6 +30,7 @@
   }
 [% END %]
 
+[% IF user.id %]
   /* Index all classifications so we can keep track of the classification
    * for the selected product, which could control field visibility.
    */
@@ -38,9 +39,9 @@
       all_classifications['[% product.name FILTER js %]'] = '
           [%- product.classification.name FILTER js %]';
   [%- END %]
-
-  //-->
-  </script>
+[% END %]
+//-->
+</script>
 
 <form name="changeform" id="changeform" method="post" action="process_bug.cgi">
 

template/en/default/bug/field-events.js.tmpl

@@ -13,11 +13,23 @@
   #%]
 
 [% FOREACH controlled_field = field.controls_visibility_of %]
+  [% vis_names = [] %]
+  [% FOREACH visibility_value = controlled_field.visibility_values %]
+    [%# Exclude non-enterable products and components outside the current product. %]
+    [% NEXT IF field.name == "product"
+               && visibility_value.id != product.id
+               && !user.can_enter_product(visibility_value) %]
+    [% NEXT IF field.name == "component" && visibility_value.product_id != product.id %]
+    [% vis_names.push(visibility_value.name) %]
+  [% END %]
+
+  [% NEXT UNLESS vis_names.size %]
+
   showFieldWhen('[% controlled_field.name FILTER js %]',
                 '[% field.name FILTER js %]', [
-  [%- FOREACH visibility_value = controlled_field.visibility_values -%]
-    '[%- visibility_value.name FILTER js -%]'[% "," UNLESS loop.last %]
-  [%- END %]
+                [%~ FOREACH vis_name = vis_names ~%]
+                  '[% vis_name FILTER js %]'[% "," UNLESS loop.last %]
+                [%~ END ~%]
   ]);
 [% END %]