From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 13 Nov 2012 17:09:30 +0000 (+0100)
Subject: Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product and... 
X-Git-Tag: bugzilla-4.2.4~5
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fbb0dd18cbf1ddf2e63c2db7c0bce98001a704ea;p=thirdparty%2Fbugzilla.git

Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see
r=dkl a=LpSolit
---

diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl
index bdee838066..fbc6e4a96d 100644
--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -30,9 +30,8 @@
 
 [% PROCESS bug/time.html.tmpl %]
 
-  <script type="text/javascript">
-  <!--
-  
+<script type="text/javascript">
+<!--
   /* Outputs a link to call replyToComment(); used to reduce HTML output */
   function addReplyLink(id, real_id) {
       /* XXX this should really be updated to use the DOM Core's
@@ -119,6 +118,7 @@
 
 [% END %]
 
+[% IF user.id %]
   /* Index all classifications so we can keep track of the classification
    * for the selected product, which could control field visibility.
    */
@@ -127,9 +127,9 @@
       all_classifications['[% product.name FILTER js %]'] = '
           [%- product.classification.name FILTER js %]';
   [%- END %]
-
-  //-->
-  </script>
+[% END %]
+//-->
+</script>
 
 <form name="changeform" id="changeform" method="post" action="process_bug.cgi">
 
diff --git a/template/en/default/bug/field-events.js.tmpl b/template/en/default/bug/field-events.js.tmpl
index 13ec18d38c..f1d5afd326 100644
--- a/template/en/default/bug/field-events.js.tmpl
+++ b/template/en/default/bug/field-events.js.tmpl
@@ -24,11 +24,23 @@
   #%]
 
 [% FOREACH controlled_field = field.controls_visibility_of %]
+  [% vis_names = [] %]
+  [% FOREACH visibility_value = controlled_field.visibility_values %]
+    [%# Exclude non-enterable products and components outside the current product. %]
+    [% NEXT IF field.name == "product"
+               && visibility_value.id != product.id
+               && !user.can_enter_product(visibility_value) %]
+    [% NEXT IF field.name == "component" && visibility_value.product_id != product.id %]
+    [% vis_names.push(visibility_value.name) %]
+  [% END %]
+
+  [% NEXT UNLESS vis_names.size %]
+
   showFieldWhen('[% controlled_field.name FILTER js %]',
                 '[% field.name FILTER js %]', [
-  [%- FOREACH visibility_value = controlled_field.visibility_values -%]
-    '[%- visibility_value.name FILTER js -%]'[% "," UNLESS loop.last %]
-  [%- END %]
+                [%~ FOREACH vis_name = vis_names ~%]
+                  '[% vis_name FILTER js %]'[% "," UNLESS loop.last %]
+                [%~ END ~%]
   ]);
 [% END %]