Bug 745397: (CVE-2012-0466) [SECURITY] The JS template for buglists permits…

Bug 745397: (CVE-2012-0466) [SECURITY] The JS template for buglists permits attackers to access all bugs that the victim can see r=glob a=LpSolit

Bug 745397: (CVE-2012-0466) [SECURITY] The JS template for buglists permits…
811987d6 · Frédéric Buclin · 8dd0e819 · 811987d6 · 811987d6 · 8dd0e819
Commit 811987d6 authored Apr 18, 2012 by Frédéric Buclin
Hide whitespace changes
Inline Side-by-side

Showing with 0 additions and 45 deletions

buglist.cgi buglist.cgi +0 -10

using.xml docs/en/xml/using.xml +0 -10

list.js.tmpl template/en/default/list/list.js.tmpl +0 -25

No files found.
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -95,16 +95,6 @@ if (defined $cgi->param('ctype') && $cgi->param('ctype') eq "rss") {
    $cgi->param('ctype', "atom");
 }

-# The js ctype presents a security risk; a malicious site could use it  
-# to gather information about secure bugs. So, we only allow public bugs to be
-# retrieved with this format.
-#
-# Note that if and when this call clears cookies or has other persistent 
-# effects, we'll need to do this another way instead.
-if ((defined $cgi->param('ctype')) && ($cgi->param('ctype') eq "js")) {
-    Bugzilla->logout_request();
-}
-
 # An agent is a program that automatically downloads and extracts data
 # on its user's behalf.  If this request comes from an agent, we turn off
 # various aspects of bug list functionality so agent requests succeed

--- a/docs/en/xml/using.xml
+++ b/docs/en/xml/using.xml
@@ -671,16 +671,6 @@
        </member>
      </simplelist>
      </para>
-
-      <para>
-        If you would like to access the bug list from another program
-        it is often useful to have the list returned in something other
-        than HTML. By adding the ctype=type parameter into the bug list URL
-        you can specify several alternate formats. Besides the types described
-        above, the following formats are also supported: ECMAScript, also known
-        as JavaScript (ctype=js), and Resource Description Framework RDF/XML
-        (ctype=rdf).
-      </para>
    </section>

    <section id="individual-buglists">

--- a/template/en/default/list/list.js.tmpl
+++ b/template/en/default/list/list.js.tmpl
-[%# This Source Code Form is subject to the terms of the Mozilla Public
-  # License, v. 2.0. If a copy of the MPL was not distributed with this
-  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
-  #
-  # This Source Code Form is "Incompatible With Secondary Licenses", as
-  # defined by the Mozilla Public License, v. 2.0.
-  #%]
-
-// Note: only publicly-accessible bugs (those not in any group) will be
-// listed when using this JavaScript format. This is to prevent malicious
-// sites stealing information about secure bugs.
-  
-bugs = new Array; 
-
-[% FOREACH bug = bugs %]
-  bugs[[% bug.bug_id %]] = [ 
-    [% FOREACH column = displaycolumns %]
-      "[%- bug.$column FILTER js -%]"[% "," UNLESS loop.last %]
-    [% END %]
-  ];
-[% END %]
-
-if (window.buglistCallback) {
-  buglistCallback(bugs);
-}