Bug 1334158 - Lightbox images CSP error on bug modal

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index 91dec7e7279bb569819575bc435eba5afe6d0e9b..556d91441b7e80752c55d7a32c5b35e40f3b8812 100644 (file)
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -52,9 +52,11 @@ use constant DEFAULT_CSP => (
 # normally the policy would just live in one .cgi file.
 # Additionally, correct_urlbase() cannot be called at compile time, so this can't be a constant.
 sub SHOW_BUG_MODAL_CSP {
-    return (
+    my ($bug_id) = @_;
+    my %policy = (
         script_src  => ['self', 'nonce', 'unsafe-inline', 'unsafe-eval' ],
         object_src  => [correct_urlbase() . "extensions/BugModal/web/ZeroClipboard/ZeroClipboard.swf"],
+        img_src     => [ 'self', 'https://secure.gravatar.com' ],
         connect_src => [
             'self',
             # This is from extensions/OrangeFactor/web/js/orange_factor.js
@@ -66,6 +68,13 @@ sub SHOW_BUG_MODAL_CSP {
             'https://ashughes1.github.io/bugzilla-socorro-lens/chart.htm'
         ],
     );
+    if (use_attachbase() && $bug_id) {
+        my $attach_base = Bugzilla->params->{'attachment_base'};
+        $attach_base =~ s/\%bugid\%/$bug_id/g;
+        push @{ $policy{img_src} }, $attach_base;
+    }
+
+    return %policy;
 }
 
 sub _init_bz_cgi_globals {

diff --git a/attachment.cgi b/attachment.cgi
index d228c9c7f25a070e3458f4eb7eaca5551faa28d3..53c817d08fba1822f0f4b9a4910f7ba513fc8ae2 100755 (executable)
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -633,7 +633,7 @@ sub insert {
   Bugzilla::Hook::process('show_bug_format', $show_bug_format);
 
   if ($show_bug_format->{format} eq 'modal') {
-      $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
+      $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bugid));
   }
 
   print $cgi->header();
@@ -797,7 +797,7 @@ sub update {
     Bugzilla::Hook::process('show_bug_format', $show_bug_format);
 
     if ($show_bug_format->{format} eq 'modal') {
-        $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
+        $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug->id));
     }
 
     print $cgi->header();
@@ -872,7 +872,7 @@ sub delete_attachment {
         Bugzilla::Hook::process('show_bug_format', $show_bug_format);
 
         if ($show_bug_format->{format} eq 'modal') {
-            $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
+            $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug->id));
         }
 
         print $cgi->header();

diff --git a/post_bug.cgi b/post_bug.cgi
index bbba125c16edc72b3fec7f17c7ddb6817645cbab..238ff6e1a635bb51616485237d2728ad564626b9 100755 (executable)
--- a/post_bug.cgi
+++ b/post_bug.cgi
@@ -265,7 +265,7 @@ $format = $template->get_format("bug/create/created",
 $cgi->delete('format');
 
 if ($user->setting('ui_experiments') eq 'on') {
-    Bugzilla->cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
+    Bugzilla->cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug->id));
 }
 print $cgi->header();
 $template->process($format->{'template'}, $vars)

diff --git a/process_bug.cgi b/process_bug.cgi
index ac8e32c5355f7ca1a2f8fe0a092eadefa54670be..49ac28fc0b297e099f2af0beeedcd29f84b8574d 100755 (executable)
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -420,7 +420,8 @@ my $format_params = {
 };
 Bugzilla::Hook::process('show_bug_format', $format_params);
 if ($format_params->{format} eq 'modal') {
-    $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
+    my $bug_id = $vars->{bug} ? $vars->{bug}->id : undef;
+    $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug_id));
 }
 my $format = $template->get_format("bug/show",
                                    $format_params->{format},

diff --git a/show_bug.cgi b/show_bug.cgi
index d4e6ea7718817654cf8536e9d4e4a3752fd1a939..d2695a66f899018f671394c5e1ddc053df1057b1 100755 (executable)
--- a/show_bug.cgi
+++ b/show_bug.cgi
@@ -20,6 +20,7 @@ use Bugzilla::Keyword;
 use Bugzilla::Bug;
 use Bugzilla::Hook;
 use Bugzilla::CGI;
+use Bugzilla::Util qw(detaint_natural);
 
 my $cgi = Bugzilla->cgi;
 my $template = Bugzilla->template;
@@ -37,10 +38,6 @@ my $format = $template->get_format("bug/show",
                                    $format_params->{format},
                                    $format_params->{ctype});
 
-if ($format_params->{format} eq 'modal') {
-    $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP());
-}
-
 # Editable, 'single' HTML bugs are treated slightly specially in a few places
 my $single = (!$format->{format} || $format->{format} ne 'multiple')
              && $format->{extension} eq 'html';
@@ -53,6 +50,13 @@ if (!$cgi->param('id') && $single) {
     exit;
 }
 
+if ($format_params->{format} eq 'modal') {
+    my $bug_id = $cgi->param('id');
+    detaint_natural($bug_id);
+    $cgi->content_security_policy(Bugzilla::CGI::SHOW_BUG_MODAL_CSP($bug_id));
+}
+
+
 my @bugs;
 my %marks;