From ae718be5e742aa62a03ecbd77917547d0043b19d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fr=C3=A9d=C3=A9ric=20Buclin?= Date: Mon, 24 Jan 2011 19:38:50 +0100 Subject: [PATCH] Bug 619588: (CVE-2010-4567) [SECURITY] Safety checks that disallow clicking for javascript: or data: URLs in the URL field can be evaded with prefixed whitespace and Bug 628034: (CVE-2011-0048) [SECURITY] For not-logged-in users, the URL field doesn't safeguard against javascript: or data: URLs r=dkl a=LpSolit --- Bugzilla/Template.pm | 13 +++++++++++++ template/en/default/bug/edit.html.tmpl | 9 ++++----- template/en/default/bug/show-multiple.html.tmpl | 6 +++--- 3 files changed, 20 insertions(+), 8 deletions(-) diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index bafdf806f5..529a264328 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -764,6 +764,19 @@ sub create { return $docs_urlbase; }, + # Check whether the URL is safe. + 'is_safe_url' => sub { + my $url = shift; + return 0 unless $url; + + my $safe_protocols = join('|', SAFE_PROTOCOLS); + return 1 if $url =~ /^($safe_protocols):[^\s<>\"]+[\w\/]$/i; + # Pointing to a local file with no colon in its name is fine. + return 1 if $url =~ /^[^\s<>\":]+[\w\/]$/i; + # If we come here, then we cannot guarantee it's safe. + return 0; + }, + # Allow templates to generate a token themselves. 'issue_hash_token' => \&Bugzilla::Token::issue_hash_token, diff --git a/template/en/default/bug/edit.html.tmpl b/template/en/default/bug/edit.html.tmpl index f7378c6cf0..0e1c4da687 100644 --- a/template/en/default/bug/edit.html.tmpl +++ b/template/en/default/bug/edit.html.tmpl @@ -613,8 +613,7 @@