Menu
▾
▴
[Frenchmozilla-cvs] bugzilla/template/fr/default/bug edit.html.tmpl, 1.138, 1.139 field-events.js.tmpl, 1.7, 1.8
|
From: Cédric C. <psy...@us...> - 2012-11-14 20:32:19
|
Update of /cvsroot/frenchmozilla/bugzilla/template/fr/default/bug
In directory vz-cvs-3.sog:/tmp/cvs-serv21753/template/fr/default/bug
Modified Files:
edit.html.tmpl field-events.js.tmpl
Log Message:
Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see
Index: field-events.js.tmpl
===================================================================
RCS file: /cvsroot/frenchmozilla/bugzilla/template/fr/default/bug/field-events.js.tmpl,v
retrieving revision 1.7
retrieving revision 1.8
diff -C2 -d -r1.7 -r1.8
*** field-events.js.tmpl 29 Feb 2012 19:25:23 -0000 1.7
--- field-events.js.tmpl 14 Nov 2012 20:32:17 -0000 1.8
***************
*** 14,22 ****
[% FOREACH controlled_field = field.controls_visibility_of %]
showFieldWhen('[% controlled_field.name FILTER js %]',
'[% field.name FILTER js %]', [
! [%- FOREACH visibility_value = controlled_field.visibility_values -%]
! '[%- visibility_value.name FILTER js -%]'[% "," UNLESS loop.last %]
! [%- END %]
]);
[% END %]
--- 14,33 ----
[% FOREACH controlled_field = field.controls_visibility_of %]
+ [% vis_names = [] %]
+ [% FOREACH visibility_value = controlled_field.visibility_values %]
+ [%# Exclude non-enterable products and components outside the current product. %]
+ [% NEXT IF field.name == "product"
+ && visibility_value.id != product.id
+ && !user.can_enter_product(visibility_value) %]
+ [% NEXT IF field.name == "component" && visibility_value.product_id != product.id %]
+ [% vis_names.push(visibility_value.name) %]
+ [% END %]
+
+ [% NEXT UNLESS vis_names.size %]
showFieldWhen('[% controlled_field.name FILTER js %]',
'[% field.name FILTER js %]', [
! [%~ FOREACH vis_name = vis_names ~%]
! '[% vis_name FILTER js %]'[% "," UNLESS loop.last %]
! [%~ END ~%]
]);
[% END %]
Index: edit.html.tmpl
===================================================================
RCS file: /cvsroot/frenchmozilla/bugzilla/template/fr/default/bug/edit.html.tmpl,v
retrieving revision 1.138
retrieving revision 1.139
diff -C2 -d -r1.138 -r1.139
*** edit.html.tmpl 10 Nov 2012 20:51:57 -0000 1.138
--- edit.html.tmpl 14 Nov 2012 20:32:17 -0000 1.139
***************
*** 9,14 ****
[% PROCESS bug/time.html.tmpl %]
! <script type="text/javascript">
! <!--
[% IF user.is_timetracker %]
var fRemainingTime = [% bug.remaining_time %]; // holds the original value
--- 9,14 ----
[% PROCESS bug/time.html.tmpl %]
! <script type="text/javascript">
! <!--
[% IF user.is_timetracker %]
var fRemainingTime = [% bug.remaining_time %]; // holds the original value
***************
*** 31,34 ****
--- 31,35 ----
[% END %]
+ [% IF user.id %]
/* Index all classifications so we can keep track of the classification
* for the selected product, which could control field visibility.
***************
*** 39,45 ****
[%- product.classification.name FILTER js %]';
[%- END %]
! //-->
! </script>
<form name="changeform" id="changeform" method="post" action="process_bug.cgi">
--- 40,47 ----
[%- product.classification.name FILTER js %]';
[%- END %]
+ [% END %]
! //-->
! </script>
<form name="changeform" id="changeform" method="post" action="process_bug.cgi">
|