]> git.ipfire.org Git - thirdparty/bugzilla.git/commitdiff
projects / thirdparty / bugzilla.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 4cd99a9)
Bug 1444008 - Form action injection in Bugzilla /user_profile (leads to XSS/single...
authorDylan William Hardison <dylan@hardison.net>
Tue, 20 Mar 2018 14:06:20 +0000 (10:06 -0400)
committerDylan William Hardison <dylan@hardison.net>
Tue, 20 Mar 2018 14:06:20 +0000 (10:06 -0400)
.htaccess patch | blob | blame | history
extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl patch | blob | blame | history
template/en/default/account/auth/login.html.tmpl patch | blob | blame | history

diff --git a/.htaccess b/.htaccess
index 36195da50e807ed77387d2da8ac49fd856ca4e5b..745c57536c3144a943b0b0660c89c8b8fda7def2 100644 (file)
--- a/.htaccess
+++ b/.htaccess
@@ -37,9 +37,9 @@ RewriteRule ^new[-_]bug$ new_bug.cgi [L,QSA]
 
 RewriteRule ^template_cache/ - [F,L,NC]
 RewriteRule ^template_cache.deleteme/ - [F,L,NC]
-RewriteRule ^review(.*) page.cgi?id=splinter.html$1 [QSA]
-RewriteRule ^user_?profile(.*) page.cgi?id=user_profile.html$1 [QSA]
-RewriteRule ^request_defer(.*) page.cgi?id=request_defer.html$1 [QSA]
+RewriteRule ^review$ page.cgi?id=splinter.html$1 [QSA]
+RewriteRule ^user_?profile$ page.cgi?id=user_profile.html$1 [QSA]
+RewriteRule ^request_defer$ page.cgi?id=request_defer.html$1 [QSA]
 RewriteRule ^favicon\.ico$ extensions/BMO/web/images/favicon.ico
 RewriteRule ^form[\.:]itrequest$ enter_bug.cgi?product=Infrastructure+\%26+Operations&format=itrequest [QSA]
 RewriteRule ^form[\.:](mozlist|poweredby|presentation|trademark|recoverykey)$ enter_bug.cgi?product=mozilla.org&format=$1 [QSA]
diff --git a/extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl b/extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl
index 27cb825ed937e225142c4db4d9be1f7a9b28c786..fd72091dca8c41aa651c25b34d6392b18d0602d0 100644 (file)
--- a/extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl
+++ b/extensions/UserProfile/template/en/default/pages/user_profile.html.tmpl
@@ -27,7 +27,7 @@
     <td>&nbsp;</td>
     <th>Search</th>
     <td colspan="2">
-      <form action="user_profile">
+      <form action="[% urlbase %]user_profile">
         [% INCLUDE global/userselect.html.tmpl
           id => "login"
           name => "login"
diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl
index 160fad43b7719824f66495fce1f18f7d845c800e..c11a6afc14e9d33d0cf2d4f9e2fd60cc8a1d4d01 100644 (file)
--- a/template/en/default/account/auth/login.html.tmpl
+++ b/template/en/default/account/auth/login.html.tmpl
@@ -42,7 +42,7 @@
 </p>
 
 <div id="login" class="login-form">
-  <form name="login" action="[% target FILTER html %]" method="POST"
+  <form name="login" action="[% urlbase %][% target FILTER uri FILTER html %]" method="POST"
         [%- IF Bugzilla.cgi.param("data") %] enctype="multipart/form-data"[% END %]>
     <div class="field-login">
       <label for="Bugzilla_login">Email Address:</label>
Mirror of https://github.com/bugzilla/bugzilla.git