Bug 195530 - Make javascript version of buglists available, part 2. This is a…

Bug 195530 - Make javascript version of buglists available, part 2. This is a security fix to prevent remote sites being able to see sensitive bug data. Patch by gerv; r=justdave, r=myk, a=justdave.

Bug 195530 - Make javascript version of buglists available, part 2. This is a…
fc7ebc28 · gerv%gerv.net · ee4db0ae · fc7ebc28 · fc7ebc28
Commit fc7ebc28 authored Nov 09, 2003 by gerv%gerv.net
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 0 deletions

buglist.cgi buglist.cgi +10 -0

list.js.tmpl template/en/default/list/list.js.tmpl +5 -0

No files found.
--- a/buglist.cgi
+++ b/buglist.cgi
@@ -88,6 +88,16 @@ if ($::FORM{'format'} && $::FORM{'format'} eq "rdf" && !$::FORM{'ctype'}) {
    delete($::FORM{'format'});
 }
+# The js ctype presents a security risk; a malicious site could use it  
+# to gather information about secure bugs. So, we only allow public bugs to be
+# retrieved with this format.
+#
+# Note that if and when this call clears cookies or has other persistent 
+# effects, we'll need to do this another way instead.
+if ($::FORM{'ctype'} eq "js") {
+    Bugzilla->logout();
+}
 # Determine the format in which the user would like to receive the output.
 # Uses the default format if the user did not specify an output format;
 # otherwise validates the user's choice against the list of available formats.

--- a/template/en/default/list/list.js.tmpl
+++ b/template/en/default/list/list.js.tmpl
@@ -18,6 +18,11 @@
  #
  # Contributor(s): Gervase Markham <gerv@gerv.net>
  #%]
+// Note: only publicly-accessible bugs (those not in any group) will be
+// listed when using this JavaScript format. This is to prevent malicious
+// sites stealing information about secure bugs.
 bugs = new Array; 
 [% FOREACH bug = bugs %]