From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 10 Jan 2012 00:03:49 +0000 (+0100)
Subject: Bug 716283: Clickjacking in the attachment "Details" page allows to bypass token... 
X-Git-Tag: bugzilla-4.0.4~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b466bd6a32575f55586336f72d8ccfce0fa1f2d;p=thirdparty%2Fbugzilla.git

Bug 716283: Clickjacking in the attachment "Details" page allows to bypass token checks
r=dkl a=LpSolit
---

diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index c0d30610ae..876d47e55e 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -205,10 +205,22 @@
               defaultcontent = (attachment.contenttype.match('^text\/')) ?
                                  attachment.data.replace('(.*\n|.+)', '>$1') : undef
             %]
-            <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]">
-              <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
-              <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
-            </iframe>
+            [% IF attachment.contenttype == "text/html" %]
+              [%# For security reasons (clickjacking, embedded scripts), we never
+                # render HTML pages from here. The source code is displayed instead. %]
+              [% INCLUDE global/textarea.html.tmpl
+                 id      = 'viewFrame'
+                 minrows = 10
+                 cols    = 80
+                 defaultcontent = attachment.data
+                 readonly = 'readonly'
+              %]
+            [% ELSE %]
+              <iframe id="viewFrame" src="attachment.cgi?id=[% attachment.id %]">
+                <b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
+                <a href="attachment.cgi?id=[% attachment.id %]">View the attachment on a separate page</a>.</b>
+              </iframe>
+            [% END %]
             <script type="text/javascript">
               <!--
               var patchviewerinstalled = 0;
diff --git a/template/en/default/global/textarea.html.tmpl b/template/en/default/global/textarea.html.tmpl
index c158615bd7..ac7ab04ec4 100644
--- a/template/en/default/global/textarea.html.tmpl
+++ b/template/en/default/global/textarea.html.tmpl
@@ -21,6 +21,8 @@
   # style:          (optional) The "style"-attribute of the textarea.
   # classes:        (optional) The "class"-attribute of the textarea.
   # wrap:           (deprecated; optional) The "wrap"-attribute of the textarea.
+  # disabled:       (optional) Disable the textarea.
+  # readonly:       (optional) Prevent the textarea from being edited.
   # minrows:        (required) Number of rows the textarea shall have initially
   #                 and when not having focus.
   # maxrows:        (optional) Number of rows the textarea shall have if
@@ -42,6 +44,7 @@
           [% IF classes %] class="[% classes FILTER html %]"[% END %]
           [% IF wrap %] wrap="[% wrap FILTER html %]"[% END %]
           [% IF disabled %] disabled="disabled"[% END %]
+          [% IF readonly %] readonly="readonly"[% END %]
           [% IF defaultrows && user.settings.zoom_textareas.value == 'off' %]
             rows="[% defaultrows FILTER html %]"
           [% ELSE %]