Bug 731178 (CVE-2012-4199): [SECURITY] field-events.js.tmpl discloses product and component names that the user is not allowed to see

r=dkl a=LpSolit

2 files changed, 8 insertions, 3 deletions

diff --git a/template/en/default/bug/field-events.js.tmpl b/template/en/default/bug/field-events.js.tmpl
index 06fba1245..80e6799f1 100644
--- a/template/en/default/bug/field-events.js.tmpl
+++ b/template/en/default/bug/field-events.js.tmpl
@@ -19,12 +19,17 @@
 
 [%# INTERFACE:
   #   field: a Bugzilla::Field object
+  #   product: (optional) a Bugzilla::Product object.
   #%]
 
 [% FOREACH controlled_field = field.controls_visibility_of %]
+  [% vis_value = controlled_field.visibility_value %]
+  [% NEXT IF field.name == "product"
+             && vis_value.id != product.id
+             && !user.can_enter_product(vis_value) %]
+
   showFieldWhen('[% controlled_field.name FILTER js %]',
-                '[% field.name FILTER js %]',
-                '[% controlled_field.visibility_value.name FILTER js %]');
+                '[% field.name FILTER js %]', '[% vis_value.name FILTER js %]');
 [% END %]
 [% FOREACH legal_value = field.legal_values %]
   [% FOREACH controlled_field = legal_value.controlled_values.keys %]
diff --git a/template/en/default/bug/field.html.tmpl b/template/en/default/bug/field.html.tmpl
index bb678d79d..d775d1f4e 100644
--- a/template/en/default/bug/field.html.tmpl
+++ b/template/en/default/bug/field.html.tmpl
@@ -171,7 +171,7 @@
         <script type="text/javascript">
         <!--
           initHidingOptionsForIE('[% field.name FILTER js %]');
-          [%+ INCLUDE "bug/field-events.js.tmpl" field = field %]
+          [%+ INCLUDE "bug/field-events.js.tmpl" field = field product = bug.product_obj %]
         //-->
         </script>