Last Comment Bug 314659 - Provide more information for the Atom summary
: Provide more information for the Atom summary
Status: RESOLVED FIXED
:
Product: Bugzilla
Classification: Server Software
Component: Query/Bug List (show other bugs)
: 2.21
: All All
: -- enhancement (vote)
: Bugzilla 3.2
Assigned To: Frédéric Buclin
: default-qa
:
Mentors:
: 387104 (view as bug list)
Depends on: 313441 367674
Blocks: 127799
  Show dependency treegraph
 
Reported: 2005-11-01 13:01 PST by Frédéric Buclin
Modified: 2008-07-01 00:07 PDT (History)
7 users (show)
LpSolit: approval+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch, v1 (3.37 KB, patch)
2005-11-01 14:20 PST, Frédéric Buclin
bugreport: review+
Details | Diff | Splinter Review
patch, v2 (3.34 KB, patch)
2007-01-15 13:26 PST, Frédéric Buclin
bugzilla-mozilla: review-
Details | Diff | Splinter Review
patch, v3 (3.83 KB, patch)
2007-01-21 05:23 PST, Frédéric Buclin
bugzilla-mozilla: review+
Details | Diff | Splinter Review

Description Frédéric Buclin 2005-11-01 13:01:55 PST
The reporter should be in the summary itself, as well as the resolution of the bug (actually, only its status is given) and its description (aka comment 0).
Comment 1 Frédéric Buclin 2005-11-01 14:20:53 PST
Created attachment 201561 [details] [diff] [review]
patch, v1
Comment 2 Dave Miller [:justdave] (justdave@bugzilla.org) 2005-11-21 09:02:16 PST
This patch also seems to fix bug 127799 as a side effect...
Comment 3 Frédéric Buclin 2006-02-21 09:48:44 PST
list.rss.html no longer exists.
Comment 4 Frédéric Buclin 2006-08-05 16:26:37 PDT
I don't have time to play with it before 3.0
Comment 5 Frédéric Buclin 2007-01-15 13:26:17 PST
Created attachment 251569 [details] [diff] [review]
patch, v2

Compared to the inital patch, I dropped the initial comment. We can add it separately if we want to.
Comment 6 Olav Vitters 2007-01-21 02:45:29 PST
Comment on attachment 251569 [details] [diff] [review]
patch, v2

>Index: template/en/default/list/list.atom.tmpl

>+      </tr><tr class="bz_feed_assignee">
>         <td>[% columns.assigned_to_realname.title FILTER none %]</td>
>         <td>[% bug.assigned_to_realname FILTER none %]</td>

I do not understand why this is FILTER none. If I change my realname to 'Olav <b>Vitters</b>' Firefox shows Vitters as bold within the Atom field, just as I would expect. I did see the FILTER xml, but that should is just some Atom specific thing (because the HTML has to be escaped). Bug.assigned_to_realname should still be escaped otherwise Atom clients which interpret the <td> will look at a <b> (etc) within a realname as well. Same for the other fields.
Comment 7 Frédéric Buclin 2007-01-21 05:23:43 PST
Created attachment 252207 [details] [diff] [review]
patch, v3

FILTER none -> FILTER html in the <summary> section as it uses type="html" and all HTML tags MUST be filtered, per the Atom specs: http://www.ietf.org/rfc/rfc4287
Comment 8 Max Kanat-Alexander 2007-01-21 07:35:36 PST
Comment on attachment 252207 [details] [diff] [review]
patch, v3

By the way, why didn't you just change it to serve up columns based on the columnlist parameter? This is what clients keep asking me for, personally.
Comment 9 Frédéric Buclin 2007-01-21 08:11:48 PST
Phil, it appears that the data in <summary> is currently incorrectly escaped, see my patch. Is there actually any *security* risk? If yes, then we will have to backport the filtering part of my patch on all branches.
Comment 10 Max Kanat-Alexander 2007-01-21 08:25:50 PST
I'm fairly sure that this is a security bug for the same reason that bug 313441 was.
Comment 11 Frédéric Buclin 2007-01-21 09:13:46 PST
Note that I couldn't exploit this issue with the Sage extension of Firefox. It seems to sanitize the fields for me (at least when the field contains <script>, </tr>, </td>, ...).
Comment 12 Phil Ringnalda (:philor) 2007-01-21 11:58:52 PST
Sigh. Yes, it's security and needs to be backported, because an untrusted person could assign himself to a bug you'll see, with a script-injecting realname. Sorry, I'm too used to systems that would refuse or strip that realname on input, rather than escape it on output. 
Comment 13 Dave Miller [:justdave] (justdave@bugzilla.org) 2007-01-31 07:01:48 PST
Since I don't see it mentioned here, the security portion of this bug was spun off as bug 367674.
Comment 14 Max Kanat-Alexander 2007-02-02 17:06:07 PST
Security advisory posted for bug 367674, so unlocking this bug.
Comment 15 Frédéric Buclin 2007-02-26 08:14:52 PST
Checking in buglist.cgi;
/cvsroot/mozilla/webtools/bugzilla/buglist.cgi,v  <--  buglist.cgi
new revision: 1.352; previous revision: 1.351
done
Checking in template/en/default/list/list.atom.tmpl;
/cvsroot/mozilla/webtools/bugzilla/template/en/default/list/list.atom.tmpl,v  <--  list.atom.tmpl
new revision: 1.3; previous revision: 1.2
done
Comment 16 Frédéric Buclin 2007-07-06 14:26:53 PDT
*** Bug 387104 has been marked as a duplicate of this bug. ***
Comment 17 Max Kanat-Alexander 2008-07-01 00:07:27 PDT
Added to the release notes for Bugzilla 3.2 in a patch on bug 432331.

Note You need to log in before you can comment on or make changes to this bug.