Very unfortunate. :( I think this is the fault of global/tabs.html.tmpl. I think that is only used by productdashboard and the search tabs. Search tabs do not allow user-generated content into the tabs array. I note that global/tabs.html.tmpl exists in the filterexceptions.pl -- which I think adds insult to injury. Working on a fix next.
Created attachment 8721968 [details] [diff] [review] 1250114_1.patch filterexceptions isn't the cause of this error. The value in question was already filtered -- for HTML content. We need to filter tabs.link for JS and then for HTML. Alternatively, we could remove the onclick handler, as it seems to be pretty useless.
Comment on attachment 8721968 [details] [diff] [review] 1250114_1.patch Review of attachment 8721968 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
This bug has been introduced by bug 321556 in 2.23.4.
Yeah, filterexceptions can tell if values are filtered, but it can't tell if they are filtered the right way :-| Not sure if we'd be able to make it that smart. Gerv
We definitely can not -- but we can prevent this and future bugs by a having a good CSP policy.
Actually, this is not a security bug as in a vanilla Bugzilla installation we only have two places where we call global/tabs.html.tmpl, and none of them passes user-controlled data to tabs. So this is rather a security improvement. No need for a secadv, meaning that it can be checked in immediately (after appropriate a+, of course).
To ssh://email@example.com/bugzilla/bugzilla.git ee24e1e..01ad7ac 4.4 -> 4.4 To ssh://firstname.lastname@example.org/bugzilla/bugzilla.git 6c705e8..a59f1e9 5.0 -> 5.0 To ssh://email@example.com/bugzilla/bugzilla.git a35c986..54f8e93 master -> master