Fix for bug 315479 part 1: Cross-site scripting security holes in templates. The remaining templates will be fixed in the next checkin.

2005-11-11 00:06:45 +00:00 · 2005-11-11 00:06:45 +00:00 · 050d006a31
--- a/webtools/litmus/t/005filter.t
+++ b/webtools/litmus/t/005filter.t
@ -46,7 +46,7 @@ $/ = undef;

 foreach my $path (@Support::Templates::include_paths) {
    $path =~ s|\\|/|g if $^O eq 'MSWin32';  # convert \ to / in path if on windows
-    $path =~ m|template/([^/]+)/([^/]+)|;
+    $path =~ m|templates/([^/]+)/([^/]+)|;
    my $lang = $1;
    my $flavor = $2;

@ -153,13 +153,14 @@ foreach my $path (@Support::Templates::include_paths) {
 sub directive_ok {
    my ($file, $directive) = @_;

-    # Comments
-    return 1 if $directive =~ /^[+-]?#/;        
-
    # Remove any leading/trailing + or - and whitespace.
    $directive =~ s/^[+-]?\s*//;
    $directive =~ s/\s*[+-]?$//;

+
+    # Comments
+    return 1 if $directive =~ /^[+-]?#/;        
+
    # Empty directives are ok; they are usually line break helpers
    return 1 if $directive eq '';

@ -187,7 +188,7 @@ sub directive_ok {
    return 1 if $directive =~ /^[0-9]+$/;

    # Simple assignments
-    return 1 if $directive =~ /^[\w\.\$]+\s+=\s+/;
+    return 1 if $directive =~ /^[\w\.\$]+\s?=\s?/;

    # Conditional literals with either sort of quotes 
    # There must be no $ in the string for it to be a literal
--- a/webtools/litmus/templates/en/default/filterexceptions.pl
+++ b/webtools/litmus/templates/en/default/filterexceptions.pl
@ -0,0 +1,47 @@
+# -*- Mode: perl; indent-tabs-mode: nil -*-
+#
+# The contents of this file are subject to the Mozilla Public
+# License Version 1.1 (the "License"); you may not use this file
+# except in compliance with the License. You may obtain a copy of
+# the License at http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS
+# IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+# implied. See the License for the specific language governing
+# rights and limitations under the License.
+#
+# The Original Code are the Bugzilla tests.
+#
+# The Initial Developer of the Original Code is Jacob Steenhagen.
+# Portions created by Jacob Steenhagen are
+# Copyright (C) 2001 Jacob Steenhagen. All
+# Rights Reserved.
+#
+# Contributor(s): Gervase Markham <gerv@gerv.net>
+#				  Zach Lipton <zach@zachlipton.com>
+
+# Important! The following classes of directives are excluded in the test,
+# and so do not need to be added here. Doing so will cause warnings.
+# See 008filter.t for more details.
+#
+# Comments                        - [%#...
+# Directives                      - [% IF|ELSE|UNLESS|FOREACH...
+# Assignments                     - [% foo = ...
+# Simple literals                 - [% " selected" ...
+# Values always used for numbers  - [% (i|j|k|n|count) %]
+# Params                          - [% Param(...
+# Safe functions                  - [% (time2str|GetBugLink)...
+# Safe vmethods                   - [% foo.size %] [% foo.length %]
+#                                   [% foo.push() %]
+# TT loop variables               - [% loop.count %]
+# Already-filtered stuff          - [% wibble FILTER html %]
+#   where the filter is one of html|csv|js|url_quote|quoteUrls|time|uri|xml|none
+
+%::safe = (
+
+'variables.none.tmpl' => [
+  'selname',
+  'onchangereal',
+],
+
+);
--- a/webtools/litmus/templates/en/default/form_widgets/input_test_id.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/input_test_id.tmpl
@ -1 +1,6 @@
-<input type="text" size="10" name="test_id" value="[% IF defaults.test_id!='' %][% defaults.test_id %][% ELSE %]-Testcase ID#-[% END %]" onFocus="if(this.value=='-Test #-'){this.value = '';}">
+<input type="text" size="10" name="test_id" 
+    value="[% IF defaults.test_id != '' %]
+        [% defaults.test_id FILTER html %]
+    [% ELSE %]-Testcase ID#-
+    [% END %]" 
+  onFocus="if(this.value=='-Test #-'){this.value = '';}">
--- a/webtools/litmus/templates/en/default/form_widgets/radio_testresults.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/radio_testresults.tmpl
@ -1,25 +1,32 @@
 <table class="radio-testresults">
  <tr class="not-run">
-    <td><input type="radio" name="testresult_[% test_id %]" id="testresult_[% test_id %]_0" value="0" checked="checked" /></td><td><label for="testresult_[% test_id %]_0">Not Run</label>
+    <td><input type="radio" name="testresult_[% test_id | html %]" 
+    id="testresult_[% test_id | html %]_0" value="0" checked="checked"/>
+    </td><td><label for="testresult_[% test_id | html %]_0">Not Run</label>
    </td>
  </tr>

  <tr class="pass">
-    <td><input type="radio" name="testresult_[% test_id %]" id="testresult_[% test_id %]_1" value="1" /></td><td><label for="testresult_[% test_id %]_1">Pass</label>
+    <td><input type="radio" name="testresult_[% test_id | html %]" 
+    id="testresult_[% test_id | html %]_1" value="1" />
+    </td><td><label for="testresult_[% test_id | html %]_1">Pass</label>
    </td>
  </tr>

  <tr class="fail">
-    <td><input type="radio" name="testresult_[% test_id %]" id="testresult_[% test_id %]_2" value="2" /></td><td><label for="testresult_[% test_id %]_2">Fail</label>
+    <td><input type="radio" name="testresult_[% test_id | html %]" 
+    id="testresult_[% test_id | html %]_2" value="2"/>
+    </td><td><labelfor="testresult_[% test_id | html %]_2">Fail</label>
    </td>
  </tr>

  <tr class="unclear">
-    <td><input type="radio" name="testresult_[% test_id %]" id="testresult_[% test_id %]_3" value="3" /></td><td><label for="testresult_[% test_id %]_3">Test unclear/broken</label>
+    <td><input type="radio" name="testresult_[% test_id | html %]" 
+    id="testresult_[% test_id | html %]_3" value="3" />
+    </td><td><label for="testresult_[% test_id | html %]_3">
+      Test unclear/broken</label>
    </td>
  </tr>

 </table>

-
-
--- a/webtools/litmus/templates/en/default/form_widgets/select_branch.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/select_branch.tmpl
@ -2,7 +2,8 @@
    <option value="">-Branch-</option>
 [% IF branches %]
 [% FOREACH branch=branches %]
-    <option[% IF defaults.branch==branch.name %] selected[% END %] value="[% branch.name %]">[% branch.name %]</option>
+    <option[% IF defaults.branch==branch.name | html %] selected[% END %] 
+        value="[% branch.name | html %]">[% branch.name | html %]</option>
 [% END %]
 [% END %]
 </select>
--- a/webtools/litmus/templates/en/default/form_widgets/select_match_criteria.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/select_match_criteria.tmpl
@ -1,7 +1,8 @@
 <select name="[% name %]">
 [% IF match_criteria %]
 [% FOREACH match_criterion=match_criteria %]
-    <option value="[% match_criterion.name %]">[% match_criterion.display_string %]</option>
+    <option value="[% match_criterion.name | html %]">
+      [% match_criterion.display_string | html %]</option>
 [% END %]
 [% END %]
 </select>
--- a/webtools/litmus/templates/en/default/form_widgets/select_platform.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/select_platform.tmpl
@ -2,7 +2,8 @@
    <option value="">-Platform-</option>
 [% IF platforms %]
 [% FOREACH platform=platforms %]
-    <option[% IF defaults.platform==platform.name %] selected[% END %] value="[% platform.name %]">[% platform.name %]</option>
+    <option[% IF defaults.platform==platform.name | html %] selected[% END %] 
+       value="[% platform.name %]">[% platform.name | html %]</option>
 [% END %]
 [% END %]
 </select>
--- a/webtools/litmus/templates/en/default/form_widgets/select_product.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/select_product.tmpl
@ -2,7 +2,8 @@
    <option value="">-Product-</option>
 [% IF products %]
 [% FOREACH product=products %]
-    <option[% IF defaults.product==product.name %] selected[% END %] value="[% product.name %]">[% product.name %]</option>
+    <option[% IF defaults.product==product.name %] selected[% END %] 
+        value="[% product.name | html %]">[% product.name | html %]</option>
 [% END %]
 [% END %]
 </select>
--- a/webtools/litmus/templates/en/default/form_widgets/select_result_status.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/select_result_status.tmpl
@ -2,7 +2,9 @@
    <option value="">-Status-</option>
 [% IF result_statuses %]
 [% FOREACH result_status=result_statuses %]
-    <option[% IF defaults.result_status==result_status.class_name %] selected[% END %] value="[% result_status.class_name %]">[% result_status.class_name %]</option>
+    <option[% IF defaults.result_status==result_status.class_name %] 
+      selected[% END %] value="[% result_status.class_name | html %]">
+      [% result_status.class_name | html %]</option>
 [% END %]
 [% END %]
 </select>
--- a/webtools/litmus/templates/en/default/form_widgets/select_search_field.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/select_search_field.tmpl
@ -1,8 +1,9 @@
-<select name="[% name %]">
+<select name="[% name | html %]">
    <option value="">-Field-</option>
 [% IF fields %]
 [% FOREACH field=fields %]
-    <option value="[% field.name %]">[% field.display_string %]</option>
+    <option value="[% field.name | html %]">
+      [% field.display_string | html %]</option>
 [% END %]
 [% END %]
 </select>
--- a/webtools/litmus/templates/en/default/form_widgets/select_sort_field.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/select_sort_field.tmpl
@ -1,8 +1,9 @@
-<select name="[% name %]">
+<select name="[% name | html %]">
    <option value="">-Sort Field-</option>
 [% IF sort_fields %]
 [% FOREACH sort_field=sort_fields %]
-    <option value="[% sort_field.name %]">[% sort_field.display_string %]</option>
+    <option value="[% sort_field.name | html %]">
+      [% sort_field.display_string | html %]</option>
 [% END %]
 [% END %]
 </select>
--- a/webtools/litmus/templates/en/default/form_widgets/select_sort_order.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/select_sort_order.tmpl
@ -1,4 +1,4 @@
-<select name="[% name %]">
+<select name="[% name | html %]">
  <option value="ASC">Ascending (A->Z)</option>
  <option value="DESC">Descending (Z->A)</option>
 </select>
--- a/webtools/litmus/templates/en/default/form_widgets/select_test_group.tmpl
+++ b/webtools/litmus/templates/en/default/form_widgets/select_test_group.tmpl
@ -2,7 +2,9 @@
    <option value="">-Test Group-</option>
 [% IF test_groups %]
 [% FOREACH test_group=test_groups %]
-    <option[% IF defaults.test_group==test_group.name %] selected[% END %] value="[% test_group.name %]">[% test_group.name %]</option>
+    <option[% IF defaults.test_group==test_group.name %] selected[% END %] 
+      value="[% test_group.name | html %]">
+     [% test_group.name | html %]</option>
 [% END %]
 [% END %]
 </select>
--- a/webtools/litmus/templates/en/default/logout.tmpl
+++ b/webtools/litmus/templates/en/default/logout.tmpl
@ -7,7 +7,7 @@

  <div id="content">

-    <h1 class="firstHeading">[% title %]</h1>
+    <h1 class="firstHeading">[% title FILTER html %]</h1>
    You have been successfully logged out of Litmus.

  </div> <!--END content-->
--- a/webtools/litmus/templates/en/default/variables.none.tmpl
+++ b/webtools/litmus/templates/en/default/variables.none.tmpl
@ -57,7 +57,7 @@
            <img src="skins/icons/platform/[% platform.iconpath FILTER html%]" 
                width="20" height="22">
          [% ELSE %]
-            [% platform.name FILTER truncate(6) | html %]
+            [% platform.name | truncate(6) | html %]
          [% END %]
 [% END %]

@ -82,7 +82,7 @@
    <table border="0">
    <tr>
    [% FOREACH curplat = test.product.platforms %]
-      <td style="[% test.state(curplat).style %]">
+      <td style="[% test.state(curplat).style | html %]">
      [% INCLUDE platform_to_img platform=curplat %]
      </td>
    [% END %]
@ -98,7 +98,7 @@
 <div class="hotlist">
    <p>
      <font size="+2">
-        [% title %]
+        [% title FILTER html %]
      </font>
    </p>