Bug 722161: Clickjacking is possible in "View All" with HTML attachments

r=dkl a=LpSolit

Bug 722161: Clickjacking is possible in "View All" with HTML attachments
578d62ae · Frédéric Buclin · b4a60112 · 578d62ae · 578d62ae
Commit 578d62ae authored Feb 08, 2012 by Frédéric Buclin
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 1 deletion

attachment.css skins/standard/attachment.css +5 -0

show-multiple.html.tmpl template/en/default/attachment/show-multiple.html.tmpl +13 -1

No files found.
--- a/skins/standard/attachment.css
+++ b/skins/standard/attachment.css
@@ -210,6 +210,11 @@ div#update_container {
    margin-left: 2%;
 }

+.viewall_frame {
+    width: 75%;
+    height: 350px;
+}
+
 .details span.bz_private{
  border-left: 1px solid darkred;
  padding-left: 0.5em;

--- a/template/en/default/attachment/show-multiple.html.tmpl
+++ b/template/en/default/attachment/show-multiple.html.tmpl
@@ -75,10 +75,22 @@
  </table>

  [% IF a.is_viewable %]
-    <iframe src="attachment.cgi?id=[% a.id %]" width="75%" height="350">
+    [% IF a.contenttype == "text/html" %]
+      [%# For security reasons (clickjacking, embedded scripts), we never
+        # render HTML pages from here. The source code is displayed instead. %]
+      [% INCLUDE global/textarea.html.tmpl
+         minrows = 10
+         cols    = 80
+         defaultcontent = a.data
+         readonly = 'readonly'
+         classes = 'viewall_frame'
+      %]
+    [% ELSE %]
+      <iframe src="attachment.cgi?id=[% a.id %]" class="viewall_frame">
        <b>You cannot view the attachment on this page because your browser does not support IFRAMEs.
        <a href="attachment.cgi?id=[% a.id %]">View the attachment on a separate page</a>.</b>
      </iframe>
+    [% END %]
  [% ELSE %]
    <p><b>
      Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*.