Closed
Bug 146447
Opened 23 years ago
Closed 22 years ago
cross-site scripting bug with bugzilla user's name
Categories
(Bugzilla :: Bugzilla-General, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.14
People
(Reporter: janmoesen_=-bugzilla-=+spamtrap, Assigned: justdave)
Details
(Whiteboard: [SECURITY] applied to 2.14.2)
Attachments
(2 files)
|
723 bytes,
patch
|
gerv
:
review+
justdave
:
review+
|
Details | Diff | Splinter Review |
|
1.32 KB,
patch
|
gerv
:
review+
CodeMachine
:
review+
|
Details | Diff | Splinter Review |
I changed my full name to <b>Jan!</b> and that worked (as in: bold font).
Similary, when I changed it to
Jan! <script>alert("XSS: see bug #!\n\n" + document.cookie)</script>
that ran the script without a hitch. This is a simple way to steal people's
cookies, and should be avoided, by escaping/"de-HTML-ing" any and all user input.
|
||
Comment 1•22 years ago
|
||
-> security group
I think I fixed this for 2.16/2.17 when I did the general html filtering
cleanup. That was templated, so it can't be backported to 2.14.
Group: webtools-security?
|
||
Comment 2•22 years ago
|
||
This problem is already fixed on the tip, and this patch just fixed it on b.m.o
and also applies to the 2.14.1 branch.
|
||
Comment 3•22 years ago
|
||
Comment on attachment 84823 [details] [diff] [review]
backported patch to 2.14.1
r=gerv.
Gerv
Attachment #84823 -
Flags: review+
|
Reporter | |
Comment 4•22 years ago
|
||
seems to wfm :-)
thanks for fixing
|
|
||
Comment 5•22 years ago
|
||
Did "Jan!" change the user name back? This morning, I got an alert, and not I
don't, but I don't see the <script> tags at all, even escaped.
Did any other place need this (assignee and/or bug comment?)
|
|
||
Comment 6•22 years ago
|
||
Wanted for 2.14.2. (BTW, we should be using a groupset query rather than status
whiteboard for security bugs, now we have our own group)
Whiteboard: [SECURITY] Wanted for 2.14.2
Target Milestone: --- → Bugzilla 2.14
|
Assignee | |
Comment 7•22 years ago
|
||
Comment on attachment 84823 [details] [diff] [review]
backported patch to 2.14.1
r= justdave
pretty obvious.
Attachment #84823 -
Flags: review+
|
|
Assignee | |
Comment 8•22 years ago
|
||
leave the security bit set and change the status whiteboard to "applied to
2.14.2" after you check it in. That's what I'm looking for for buglist of what
went into it when we release it.
|
|
Reporter | |
Comment 9•22 years ago
|
||
Re: #5, Bradley Baetz: yes, I changed my name. Any and all tags are now escaped,
or so it seems.
|
|
||
Comment 10•22 years ago
|
||
Checked in to branch BUGZILLA-2_14_1-BRANCH (note: it needs to be made more
clear on www.bugzilla.org what the branch name is.)
Checking in bug_form.pl;
/cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v <-- bug_form.pl
new revision: 1.70.2.3; previous revision: 1.70.2.2
done
Gerv
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Whiteboard: [SECURITY] Wanted for 2.14.2 → [SECURITY] applied to 2.14.2
|
|
||
Comment 11•22 years ago
|
||
No, they're not... New patch coming.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [SECURITY] applied to 2.14.2 → [SECURITY] first part applied to 2.14.2
|
|
||
Comment 12•22 years ago
|
||
This fixes the other usages of realname in bugform.pl for 2.14. This has
already been fixed for 2.16.
Do we use realname anywhere else? Its value_quote'd in editusers.cgi.
|
|
||
Comment 13•22 years ago
|
||
Comment on attachment 85079 [details] [diff] [review]
part 2
r=gerv; I'll take you word for it that there aren't any more.
Should we be searching every CGI for these? :-|
Gerv
Attachment #85079 -
Flags: review+
|
||
Comment 14•22 years ago
|
||
Yes Gerv, we decided on IRC that's your job.
|
|
||
Comment 15•22 years ago
|
||
I grepped 2.14 for DBID_to_real_or_loginname, and that was it. I don't know of
anywhere else we currently use the realname. Do you?
I went through 2.16 a while back to fix these issues, although I didn't consider
the security aspect. I don't know if what I did could be considered an audit,
though.
|
|
||
Comment 16•22 years ago
|
||
I meant "should we check everywhere we print something without escaping it
first?" That would be a big job...
Gerv
|
|
||
Comment 17•22 years ago
|
||
As I said, I tried to do that a while back, on the template stuff. I got
everywhere I noticed, but that doesn't mean that I got everywhere...
|
|
||
Comment 18•22 years ago
|
||
Yes, but you did it for 2.16, didn't you? I'm talking about 2.14.2.
Gerv
|
|
||
Updated•22 years ago
|
Attachment #85079 -
Flags: review+
|
||
Comment 19•22 years ago
|
||
Comment on attachment 85079 [details] [diff] [review]
part 2
Looks good to me, but I agree w/ Gerv... maybe someone needs to audit the
source for this; are we *sure* this doesn't affect 2.16rc1?
|
|
||
Comment 20•22 years ago
|
||
Checked into the branch. Anyone who wants to audit, feel free.
Status: REOPENED → RESOLVED
Closed: 22 years ago → 22 years ago
Resolution: --- → FIXED
Whiteboard: [SECURITY] first part applied to 2.14.2 → [SECURITY] applied to 2.14.2
|
||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•