Closed Bug 154030 Opened 23 years ago Closed 23 years ago

HTML directory indexer doesn't html-escape url

Categories

(Core :: Security, defect, P1)

Product:
Core
Component:
Security
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: bbaetz, Assigned: bbaetz)

References

(
URL
)

Details

(Whiteboard: [FIXED ON TRUNK][FIXED ON BRANCH])

Attachments

(1 file)

patch
1.86 KB, patch
dougt
: review+
jud
: superreview+
jud
: approval+
Details | Diff | Splinter Review
As reported by ptrs-ejy@bp.iij4u.or.jp to the security group, the uri (which is added to the page) isn't html escaped: <quote> + Exploit code: ~~~~~~~~~~~~~~~~~ <a href="ftp://'FTPserver' or 'FTP+HTTPserver'/#%3C%2ftitle%3E%3Cscript%3Ealert(%22exploit%22);%3C%2fscript%3E">Exploit</a> </quote> (You need to add a valid ftp server in there) Patch coming
Attached patch patchSplinter Review
This rearranges code a bit so that we don't leak while using the raw pointers the escaping functions require (Also fixes an existing leak of |spec|, too)
Status: NEW → ASSIGNED
Keywords: patch, review
Target Milestone: --- → mozilla1.0.1
Comment on attachment 89011 [details] [diff] [review] patch r-dougt
Attachment #89011 - Flags: review+
*** Bug 154029 has been marked as a duplicate of this bug. ***
Comment on attachment 89011 [details] [diff] [review] patch >Index: nsIndexedToHTML.cpp >+ char* spec = nsCRT::strdup(titleUri.get()); >+ nsXPIDLString unEscapeSpec; >+ rv = mTextToSubURI->UnEscapeAndConvert(encoding, spec, >+ getter_Copies(unEscapeSpec)); >+ nsCRT::free(spec); why strdup? second param to UnEscapeAndConvert is |const char *|, so what's wrong with |titleUri.get()|? justify/fix and sr=darin
darin: Historical reasons - that used to call nsUnescape. Checked in with that change to the trunk; I'll mail drivers for the branch.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Keywords: approval, mozilla1.0.1
Priority: -- → P1
Resolution: --- → FIXED
Whiteboard: [FIXED ON TRUNK]
Comment on attachment 89011 [details] [diff] [review] patch adding darin's sr.
Attachment #89011 - Flags: superreview+
Attachment #89011 - Flags: approval+
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+" keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1mozilla1.0.1+
Fixed on branch, too (after my checkin last night was backed out because the tree was closed. Oops)
Keywords: mozilla1.0.1+fixed1.0.1
Whiteboard: [FIXED ON TRUNK] → [FIXED ON TRUNK][FIXED ON BRANCH]
Verified on 2002-06-27-trunk and 2002-06-27-branch build on Win2K. Above URL displays the direcrtory contents.
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.1verified1.0.1
Component: Networking: FTP → Security: General
Group: security?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: