[SECURITY] Bug 313441: Query RSS should HTML-escape summary in <title> - Patch…

Bugzilla/Constants.pm

@@ -148,7 +148,7 @@ use constant contenttypes =>
   {
    "html"=> "text/html" , 
    "rdf" => "application/rdf+xml" , 
-   "rss" => "application/rss+xml" ,
+   "atom"=> "application/atom+xml" ,
    "xml" => "application/xml" , 
    "js"  => "application/x-javascript" , 
    "csv" => "text/plain" ,

buglist.cgi

@@ -103,6 +103,11 @@ if (defined $cgi->param('format') && $cgi->param('format') eq "rdf"
     $cgi->delete('format');
 }
 
+# Treat requests for ctype=rss as requests for ctype=atom
+if (defined $cgi->param('ctype') && $cgi->param('ctype') eq "rss") {
+    $cgi->param('ctype', "atom");
+}
+
 # The js ctype presents a security risk; a malicious site could use it  
 # to gather information about secure bugs. So, we only allow public bugs to be
 # retrieved with this format.
@@ -683,12 +688,12 @@ if ($format->{'extension'} eq 'ics') {
     push(@selectcolumns, "opendate") if !grep($_ eq 'opendate', @selectcolumns);
 }
 
-if ($format->{'extension'} eq 'rss') {
-    # The title of the RSS feed will be the same one as for the bug list.
+if ($format->{'extension'} eq 'atom') {
+    # The title of the Atom feed will be the same one as for the bug list.
     $vars->{'title'} = $cgi->param('title');
 
-    # This is the list of fields that are needed by the rss filter.
-    my @required_rss_columns = (
+    # This is the list of fields that are needed by the Atom filter.
+    my @required_atom_columns = (
       'short_desc',
       'opendate',
       'changeddate',
@@ -699,7 +704,7 @@ if ($format->{'extension'} eq 'rss') {
       'bug_status'
     );
 
-    foreach my $required (@required_rss_columns) {
+    foreach my $required (@required_atom_columns) {
         push(@selectcolumns, $required) if !grep($_ eq $required,@selectcolumns);
     }
 }
@@ -934,7 +939,7 @@ while (my @row = $buglist_sth->fetchrow_array()) {
             s/^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})$/$1-$2-$3 $4:$5:$6/;
 
         # Put in the change date as a time, so that the template date plugin
-        # can format the date in any way needed by the template. ICS and RSS
+        # can format the date in any way needed by the template. ICS and Atom
         # have specific, and different, date and time formatting.
         $bug->{'changedtime'} = str2time($bug->{'changeddate'});
         $bug->{'changeddate'} = DiffDate($bug->{'changeddate'});        

template/en/default/global/header.html.tmpl

@@ -35,7 +35,7 @@
   # style: string. CSS style.
   # style_urls: list. List of URLs to CSS style sheets.
   # message: string. A message to display to the user. May contain HTML.
-  # rsslink: rss link url, May contain HTML
+  # atomlink: Atom link url, May contain HTML
   #%]
 
 [% IF message %]
@@ -100,11 +100,11 @@
       [% END %]
     [% END %]
 
-    [%# this puts the live bookmark up on firefox for the RSS feed %]
-    [% IF rsslink %]
+    [%# this puts the live bookmark up on firefox for the Atom feed %]
+    [% IF atomlink %]
        <link rel="alternate" 
-             type="application/rss+xml" title="RSS 1.0" 
-             href="[% rsslink FILTER html %]" />
+             type="application/atom+xml" title="Atom feed" 
+             href="[% atomlink FILTER html %]" />
     [% END %]
 
   </head>

template/en/default/list/list.rss.tmpl → template/en/default/list/list.atom.tmpl

@@ -19,8 +19,9 @@
   # Contributor(s): Walter Hoehn <wassa@columbia.edu>
   #                 John Belmonte <john@neggie.net>
   #                 Jason Remillard <jremillardshop@letterboxes.org>
+  #                 Phil Ringnalda <bugzilla@philringnalda.com>
   #
-  # This is a template for generating an RSS 1.0 representation of a buglist. 
+  # This is a template for generating an Atom representation of a buglist. 
   #%]
 
 [% PROCESS global/variables.none.tmpl %]
@@ -29,42 +30,32 @@
 [% DEFAULT title = "$terms.Bugzilla $terms.Bugs" %]
 
 <?xml version="1.0"[% IF Param('utf8') %] encoding="UTF-8"[% END %]?>
-<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" 
-         xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
-         xmlns:dc="http://purl.org/dc/elements/1.1/"
-         xmlns="http://purl.org/rss/1.0/">
-  <channel rdf:about="[% Param('urlbase') %]buglist.cgi?
-         [%- urlquerypart.replace('ctype=rss[&]?','') FILTER xml %]" >
-       
+<feed xmlns="http://www.w3.org/2005/Atom">
   <title>[% title FILTER xml %]</title>
-    <description>[% "$terms.Bugzilla $terms.bug list" FILTER xml %]</description>
-    
-    <link>[% Param('urlbase') %]buglist.cgi?
-          [%- urlquerypart.replace('ctype=rss[&]?','') FILTER xml -%]
-    </link>
-    
-    <sy:updatePeriod>hourly</sy:updatePeriod>
-    <sy:updateFrequency>2</sy:updateFrequency>
-    
-    <items>
-      <rdf:Seq>
-      [% FOREACH bug = bugs %]
-        <rdf:li rdf:resource="[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]" />
-      [% END %]
-      </rdf:Seq>
-    </items>
-    
-  </channel>
+  <link rel="alternate" type="text/html"
+        href="[% Param('urlbase') %]buglist.cgi?
+        [%- urlquerypart.replace('ctype=atom[&]?','') FILTER xml %]"/>
+  <link rel="self" type="application/atom+xml"
+        href="[% Param('urlbase') %]buglist.cgi?
+        [%- urlquerypart FILTER xml %]"/>
+  <updated>[% date.format(format=>"%Y-%m-%dT%H:%M:%SZ",
+              time=>bugs.nsort('changedtime').last.changedtime,
+              gmt=>1) FILTER xml %]</updated>
+  <id>[% Param('urlbase') %]buglist.cgi?[% urlquerypart FILTER xml %]</id>
 
   [% FOREACH bug = bugs %]
-  <item rdf:about="[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]">
-    <title>
-      [% "@" IF bug.secure_mode %] [[% terms.Bug %] [%+ bug.bug_id FILTER xml %]] [% bug.short_desc FILTER xml %]
-    </title>
-    <link>[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]</link>
-    <dc:creator>[% bug.reporter_realname FILTER xml %]</dc:creator>
-    <dc:date>[% date.format(format=>"%Y-%m-%dT%H:%MZ",time=>bug.opentime,gmt=>1) FILTER xml %]</dc:date> 
-    <description>
+  <entry>
+    <title>[% "@" IF bug.secure_mode %][[% terms.Bug %] [%+ bug.bug_id FILTER xml %]] [% bug.short_desc FILTER xml %]</title>
+    <link rel="alternate" type="text/html"
+          href="[% Param('urlbase') FILTER xml %]show_bug.cgi?id=
+          [%- bug.bug_id FILTER xml %]"/>
+    <id>[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]</id>
+    <author>
+      <name>[% bug.reporter_realname FILTER xml %]</name>
+    </author>
+    <updated>[% date.format(format=>"%Y-%m-%dT%H:%M:%SZ",time=>bug.changedtime,
+                gmt=>1) FILTER xml %]</updated> 
+    <summary type="html">
       [%# Filter out the entire block, so that we don't need to escape the html code out %]
       [% FILTER xml %]
       <table>
@@ -91,7 +82,7 @@
       </tr>
       </table>
       [% END %]
-    </description>
-  </item>
+    </summary>
+  </entry>
   [% END %]
-</rdf:RDF>
+</feed>

template/en/default/list/list.html.tmpl

@@ -48,7 +48,7 @@
 [% PROCESS global/header.html.tmpl
   title = title
   style = style
-  rsslink = "buglist.cgi?$urlquerypart&title=$title&ctype=rss" 
+  atomlink = "buglist.cgi?$urlquerypart&title=$title&ctype=atom" 
 %]
 
 <div align="center">
@@ -169,7 +169,7 @@
         [% urlquerypart FILTER html %]&amp;ctype=csv">CSV</a> |
         <a href="buglist.cgi?
         [% urlquerypart FILTER html %]&amp;title=
-        [%- title FILTER html %]&amp;ctype=rss">RSS</a> |
+        [%- title FILTER html %]&amp;ctype=atom">Feed</a> |
         <a href="buglist.cgi?
         [% urlquerypart FILTER html %]&amp;ctype=ics">iCalendar</a> |
         <a href="colchange.cgi?