From: Frédéric Buclin Date: Wed, 8 Feb 2012 15:55:03 +0000 (+0100) Subject: Bug 722161: Clickjacking is possible in "View All" with HTML attachments X-Git-Tag: bugzilla-4.0.5~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=988c6c05b881833c4a8fb0ac2009cdd791a6a05b;p=thirdparty%2Fbugzilla.git Bug 722161: Clickjacking is possible in "View All" with HTML attachments r=dkl a=LpSolit --- diff --git a/skins/standard/attachment.css b/skins/standard/attachment.css index 0db468bd25..44dc87fd47 100644 --- a/skins/standard/attachment.css +++ b/skins/standard/attachment.css @@ -232,6 +232,11 @@ div#update_container { margin-left: 2%; } +.viewall_frame { + width: 75%; + height: 350px; +} + .details span.bz_private{ border-left: 1px solid darkred; padding-left: 0.5em; diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl index 15e20e894c..0bfabc1535 100644 --- a/template/en/default/attachment/show-multiple.html.tmpl +++ b/template/en/default/attachment/show-multiple.html.tmpl @@ -83,10 +83,22 @@ [% IF a.is_viewable %] - + [% IF a.contenttype == "text/html" %] + [%# For security reasons (clickjacking, embedded scripts), we never + # render HTML pages from here. The source code is displayed instead. %] + [% INCLUDE global/textarea.html.tmpl + minrows = 10 + cols = 80 + defaultcontent = a.data + readonly = 'readonly' + classes = 'viewall_frame' + %] + [% ELSE %] + + [% END %] [% ELSE %]

Attachment cannot be viewed because its MIME type is not text/*, image/*, or application/vnd.mozilla.*.