From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 13 Nov 2012 17:10:31 +0000 (+0100)
Subject: Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product and... 
X-Git-Tag: bugzilla-4.0.9~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8bcbb9f058f08428000627c00b0d3e3d179ef4e1;p=thirdparty%2Fbugzilla.git

Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see
r=dkl a=LpSolit
---

diff --git a/template/en/default/bug/create/create.html.tmpl b/template/en/default/bug/create/create.html.tmpl
index c18e1c5354..ea000f2f36 100644
--- a/template/en/default/bug/create/create.html.tmpl
+++ b/template/en/default/bug/create/create.html.tmpl
@@ -248,7 +248,7 @@ TUI_hide_default('expert_fields');
       <script type="text/javascript">
        <!--
          [%+ INCLUDE "bug/field-events.js.tmpl" 
-                    field = bug_fields.component %]
+                    field = bug_fields.component product = product %]
        //-->
        </script>
     </td>
diff --git a/template/en/default/bug/field-events.js.tmpl b/template/en/default/bug/field-events.js.tmpl
index f9e0ea93dc..ab3ba77f94 100644
--- a/template/en/default/bug/field-events.js.tmpl
+++ b/template/en/default/bug/field-events.js.tmpl
@@ -19,12 +19,18 @@
 
 [%# INTERFACE:
   #   field: a Bugzilla::Field object
+  #   product: (optional) a Bugzilla::Product object.
   #%]
 
 [% FOREACH controlled_field = field.controls_visibility_of %]
+  [% vis_value = controlled_field.visibility_value %]
+  [% NEXT IF field.name == "product"
+             && vis_value.id != product.id
+             && !user.can_enter_product(vis_value) %]
+  [% NEXT IF field.name == "component" && vis_value.product_id != product.id %]
+
   showFieldWhen('[% controlled_field.name FILTER js %]',
-                '[% field.name FILTER js %]',
-                '[% controlled_field.visibility_value.name FILTER js %]');
+                '[% field.name FILTER js %]', '[% vis_value.name FILTER js %]');
 [% END %]
 [% FOREACH legal_value = field.legal_values %]
   [% FOREACH controlled_field = legal_value.controlled_values.keys %]
diff --git a/template/en/default/bug/field.html.tmpl b/template/en/default/bug/field.html.tmpl
index b014a6e6fb..3ec7f17670 100644
--- a/template/en/default/bug/field.html.tmpl
+++ b/template/en/default/bug/field.html.tmpl
@@ -154,7 +154,7 @@
         <script type="text/javascript">
         <!--
           initHidingOptionsForIE('[% field.name FILTER js %]');
-          [%+ INCLUDE "bug/field-events.js.tmpl" field = field %]
+          [%+ INCLUDE "bug/field-events.js.tmpl" field = field product = bug.product_obj %]
         //-->
         </script>