From: Max Kanat-Alexander <mkanat@bugzilla.org>
Date: Thu, 4 Aug 2011 20:02:26 +0000 (+0200)
Subject: Bug 660053: (CVE-2011-2976) [SECURITY] If a BUGLIST cookie is compromised, it can... 
X-Git-Tag: bugzilla-3.4.12~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5a451ce5715d9cf07abfc796f39fed9e58507532;p=thirdparty%2Fbugzilla.git

Bug 660053: (CVE-2011-2976) [SECURITY] If a BUGLIST cookie is compromised, it can be used to XSS show_bug.cgi and inject HTML into <head>
r/a=LpSolit
---

diff --git a/template/en/default/bug/navigate.html.tmpl b/template/en/default/bug/navigate.html.tmpl
index 7b8f3c8274..769692c572 100644
--- a/template/en/default/bug/navigate.html.tmpl
+++ b/template/en/default/bug/navigate.html.tmpl
@@ -44,22 +44,24 @@
   [% END %]
 
 [% IF this_bug_idx != -1 %]
-  <a href="show_bug.cgi?id=[% bug_list.first %]">First</a>
-  <a href="show_bug.cgi?id=[% bug_list.last %]">Last</a>
+  <a href="show_bug.cgi?id=[% bug_list.first FILTER url_quote %]">First</a>
+  <a href="show_bug.cgi?id=[% bug_list.last FILTER url_quote %]">Last</a>
 [% END %]
 
   [% IF bug.bug_id %]
     [% IF this_bug_idx != -1 %]
       [% IF this_bug_idx > 0 %]
         [% prev_bug = this_bug_idx - 1 %]
-        <a href="show_bug.cgi?id=[% bug_list.$prev_bug %]">Prev</a>
+        <a href="show_bug.cgi?id=
+                 [%- bug_list.$prev_bug FILTER url_quote %]">Prev</a>
       [% ELSE %]
         <i><font color="#777777">Prev</font></i>
       [% END %]
 
       [% IF this_bug_idx + 1 < bug_list.size %]
         [% next_bug = this_bug_idx + 1 %]
-        <a href="show_bug.cgi?id=[% bug_list.$next_bug %]">Next</a>
+        <a href="show_bug.cgi?id=
+                 [%- bug_list.$next_bug FILTER url_quote %]">Next</a>
       [% ELSE %]
         <i><font color="#777777">Next</font></i>
       [% END %]
diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl
index 809ca77724..4e83aeaad3 100644
--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -250,10 +250,6 @@
 ],
 
 'global/site-navigation.html.tmpl' => [
-  'bug_list.first', 
-  'bug_list.$prev_bug', 
-  'bug_list.$next_bug', 
-  'bug_list.last', 
   'bug.bug_id', 
   'bug.votes', 
 ],
@@ -300,13 +296,6 @@
   '" spellcheck=\"$spellcheck\"" IF spellcheck',
 ],
 
-'bug/navigate.html.tmpl' => [
-  'bug_list.first', 
-  'bug_list.last', 
-  'bug_list.$prev_bug', 
-  'bug_list.$next_bug', 
-],
-
 'bug/show-multiple.html.tmpl' => [
   'attachment.id', 
   'flag.status',
diff --git a/template/en/default/global/site-navigation.html.tmpl b/template/en/default/global/site-navigation.html.tmpl
index 5440fe1f88..d8f9cd9869 100644
--- a/template/en/default/global/site-navigation.html.tmpl
+++ b/template/en/default/global/site-navigation.html.tmpl
@@ -36,8 +36,10 @@
   [% IF bug_list && bug_list.size > 0 %]
     <link rel="Up" href="buglist.cgi?regetlastlist=1">
 
-    <link rel="First" href="show_bug.cgi?id=[% bug_list.first %]">
-    <link rel="Last" href="show_bug.cgi?id=[% bug_list.last %]">
+    <link rel="First" href="show_bug.cgi?id=
+                            [%- bug_list.first FILTER url_quote %]">
+    <link rel="Last" href="show_bug.cgi?id=
+                           [%- bug_list.last FILTER url_quote %]">
 
     [% IF bug && bug.bug_id %]
       [% current_bug_idx = lsearch(bug_list, bug.bug_id) %]
@@ -45,12 +47,14 @@
 
         [% IF current_bug_idx > 0 %]
           [% prev_bug = current_bug_idx - 1 %]
-          <link rel="Prev" href="show_bug.cgi?id=[% bug_list.$prev_bug %]">
+          <link rel="Prev" href="show_bug.cgi?id=
+                                 [%- bug_list.$prev_bug FILTER url_quote %]">
         [% END %]
 
         [% IF current_bug_idx + 1 < bug_list.size %]
           [% next_bug = current_bug_idx + 1 %]
-          <link rel="Next" href="show_bug.cgi?id=[% bug_list.$next_bug %]">
+          <link rel="Next" href="show_bug.cgi?id=
+                                 [%- bug_list.$next_bug FILTER url_quote %]">
         [% END %]
 
       [% END %]