From c738859a411c63f64fa931a5275111aeb9d90fd8 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Tue, 21 Feb 2006 08:05:56 +0000 Subject: [PATCH] [SECURITY] Bug 313441: Query RSS should HTML-escape summary in - Patch by Phil Ringnalda <philringnalda@gmail.com> r=myk a=justdave I forgot to specify the bug number in my previous checkin. That was bug 312498. --- Bugzilla/Constants.pm | 2 +- buglist.cgi | 17 +++-- template/en/default/global/header.html.tmpl | 10 +-- .../list/{list.rss.tmpl => list.atom.tmpl} | 69 ++++++++----------- template/en/default/list/list.html.tmpl | 14 ++-- 5 files changed, 54 insertions(+), 58 deletions(-) rename template/en/default/list/{list.rss.tmpl => list.atom.tmpl} (57%) diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index 09717486ee..c005187320 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -148,7 +148,7 @@ use constant contenttypes => { "html"=> "text/html" , "rdf" => "application/rdf+xml" , - "rss" => "application/rss+xml" , + "atom"=> "application/atom+xml" , "xml" => "application/xml" , "js" => "application/x-javascript" , "csv" => "text/plain" , diff --git a/buglist.cgi b/buglist.cgi index 2ff8084510..ba105eab87 100755 --- a/buglist.cgi +++ b/buglist.cgi @@ -103,6 +103,11 @@ if (defined $cgi->param('format') && $cgi->param('format') eq "rdf" $cgi->delete('format'); } +# Treat requests for ctype=rss as requests for ctype=atom +if (defined $cgi->param('ctype') && $cgi->param('ctype') eq "rss") { + $cgi->param('ctype', "atom"); +} + # The js ctype presents a security risk; a malicious site could use it # to gather information about secure bugs. So, we only allow public bugs to be # retrieved with this format. @@ -683,12 +688,12 @@ if ($format->{'extension'} eq 'ics') { push(@selectcolumns, "opendate") if !grep($_ eq 'opendate', @selectcolumns); } -if ($format->{'extension'} eq 'rss') { - # The title of the RSS feed will be the same one as for the bug list. +if ($format->{'extension'} eq 'atom') { + # The title of the Atom feed will be the same one as for the bug list. $vars->{'title'} = $cgi->param('title'); - # This is the list of fields that are needed by the rss filter. - my @required_rss_columns = ( + # This is the list of fields that are needed by the Atom filter. + my @required_atom_columns = ( 'short_desc', 'opendate', 'changeddate', @@ -699,7 +704,7 @@ if ($format->{'extension'} eq 'rss') { 'bug_status' ); - foreach my $required (@required_rss_columns) { + foreach my $required (@required_atom_columns) { push(@selectcolumns, $required) if !grep($_ eq $required,@selectcolumns); } } @@ -934,7 +939,7 @@ while (my @row = $buglist_sth->fetchrow_array()) { s/^(\d{4})(\d{2})(\d{2})(\d{2})(\d{2})(\d{2})$/$1-$2-$3 $4:$5:$6/; # Put in the change date as a time, so that the template date plugin - # can format the date in any way needed by the template. ICS and RSS + # can format the date in any way needed by the template. ICS and Atom # have specific, and different, date and time formatting. $bug->{'changedtime'} = str2time($bug->{'changeddate'}); $bug->{'changeddate'} = DiffDate($bug->{'changeddate'}); diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl index 90c3659fe8..959bf5a995 100644 --- a/template/en/default/global/header.html.tmpl +++ b/template/en/default/global/header.html.tmpl @@ -35,7 +35,7 @@ # style: string. CSS style. # style_urls: list. List of URLs to CSS style sheets. # message: string. A message to display to the user. May contain HTML. - # rsslink: rss link url, May contain HTML + # atomlink: Atom link url, May contain HTML #%] [% IF message %] @@ -100,11 +100,11 @@ [% END %] [% END %] - [%# this puts the live bookmark up on firefox for the RSS feed %] - [% IF rsslink %] + [%# this puts the live bookmark up on firefox for the Atom feed %] + [% IF atomlink %] <link rel="alternate" - type="application/rss+xml" title="RSS 1.0" - href="[% rsslink FILTER html %]" /> + type="application/atom+xml" title="Atom feed" + href="[% atomlink FILTER html %]" /> [% END %] </head> diff --git a/template/en/default/list/list.rss.tmpl b/template/en/default/list/list.atom.tmpl similarity index 57% rename from template/en/default/list/list.rss.tmpl rename to template/en/default/list/list.atom.tmpl index cf6901bd7d..367f2858f1 100644 --- a/template/en/default/list/list.rss.tmpl +++ b/template/en/default/list/list.atom.tmpl @@ -19,8 +19,9 @@ # Contributor(s): Walter Hoehn <wassa@columbia.edu> # John Belmonte <john@neggie.net> # Jason Remillard <jremillardshop@letterboxes.org> + # Phil Ringnalda <bugzilla@philringnalda.com> # - # This is a template for generating an RSS 1.0 representation of a buglist. + # This is a template for generating an Atom representation of a buglist. #%] [% PROCESS global/variables.none.tmpl %] @@ -29,42 +30,32 @@ [% DEFAULT title = "$terms.Bugzilla $terms.Bugs" %] <?xml version="1.0"[% IF Param('utf8') %] encoding="UTF-8"[% END %]?> -<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" - xmlns:sy="http://purl.org/rss/1.0/modules/syndication/" - xmlns:dc="http://purl.org/dc/elements/1.1/" - xmlns="http://purl.org/rss/1.0/"> - <channel rdf:about="[% Param('urlbase') %]buglist.cgi? - [%- urlquerypart.replace('ctype=rss[&]?','') FILTER xml %]" > - - <title>[% title FILTER xml %] - [% "$terms.Bugzilla $terms.bug list" FILTER xml %] - - [% Param('urlbase') %]buglist.cgi? - [%- urlquerypart.replace('ctype=rss[&]?','') FILTER xml -%] - - - hourly - 2 - - - - [% FOREACH bug = bugs %] - - [% END %] - - - - - + + [% title FILTER xml %] + + + [% date.format(format=>"%Y-%m-%dT%H:%M:%SZ", + time=>bugs.nsort('changedtime').last.changedtime, + gmt=>1) FILTER xml %] + [% Param('urlbase') %]buglist.cgi?[% urlquerypart FILTER xml %] + [% FOREACH bug = bugs %] - - - [% "@" IF bug.secure_mode %] [[% terms.Bug %] [%+ bug.bug_id FILTER xml %]] [% bug.short_desc FILTER xml %] - - [% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %] - [% bug.reporter_realname FILTER xml %] - [% date.format(format=>"%Y-%m-%dT%H:%MZ",time=>bug.opentime,gmt=>1) FILTER xml %] - + + [% "@" IF bug.secure_mode %][[% terms.Bug %] [%+ bug.bug_id FILTER xml %]] [% bug.short_desc FILTER xml %] + + [% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %] + + [% bug.reporter_realname FILTER xml %] + + [% date.format(format=>"%Y-%m-%dT%H:%M:%SZ",time=>bug.changedtime, + gmt=>1) FILTER xml %] + [%# Filter out the entire block, so that we don't need to escape the html code out %] [% FILTER xml %] @@ -91,7 +82,7 @@
[% END %] - - + + [% END %] - + diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl index 85b7d73167..5ac715a0cb 100644 --- a/template/en/default/list/list.html.tmpl +++ b/template/en/default/list/list.html.tmpl @@ -48,15 +48,15 @@ [% PROCESS global/header.html.tmpl title = title style = style - rsslink = "buglist.cgi?$urlquerypart&title=$title&ctype=rss" + atomlink = "buglist.cgi?$urlquerypart&title=$title&ctype=atom" %]
- [% IF Param('timezone') %] - [% time2str("%a %b %e %Y %T %Z", currenttime, Param('timezone')) %]
- [% ELSE %] - [% time2str("%a %b %e %Y %T", currenttime) %]
- [% END %] + [% IF Param('timezone') %] + [% time2str("%a %b %e %Y %T %Z", currenttime, Param('timezone')) %]
+ [% ELSE %] + [% time2str("%a %b %e %Y %T", currenttime) %]
+ [% END %] [% IF debug %]

@@ -169,7 +169,7 @@ [% urlquerypart FILTER html %]&ctype=csv">CSV | RSS | + [%- title FILTER html %]&ctype=atom">Feed | iCalendar |