Closed Bug 477477 Opened 15 years ago Closed 15 years ago

XSS vulnerability with pushloghtml's 'startdate' and 'enddate' params

Categories

(Developer Services :: Mercurial: hg.mozilla.org, defect)

Product:
Developer Services
Component:
Mercurial: hg.mozilla.org
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: masa141421356, Assigned: reed)

References

(
URL
)

Details

(Keywords: wsec-xss)

Attachments

(2 files, 1 obsolete file)

patch - v1 (untested)
1014 bytes, patch
djc
: review+
Details | Diff | Splinter Review
djc's fix for pushlog-feed.py's treatment of form members
1.05 KB, patch
reed
: review+
Details | Diff | Splinter Review 
mozilla-central's  query form has XSS vuluneravility.
Parameter enddate value is not HTML escaped.
http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=48+hours+ago&enddate=now%22%20onmouseover=%22alert%28location.href%29
Summary: Mozilla central XSS vulneravility → Mozilla central XSS vulnerability
Group: mozilla-confidential → webtools-security
Summary: Mozilla central XSS vulnerability → XSS vulnerability with pushloghtml's 'enddate' param
Escape the 'startdate' and 'enddate' values.
Assignee: nobody → reed
Status: NEW → ASSIGNED
Attachment #361147 - Flags: review?
Summary: XSS vulnerability with pushloghtml's 'enddate' param → XSS vulnerability with pushloghtml's 'startdate' and 'enddate' params
Comment on attachment 361147 [details] [diff] [review]
patch - v1 (untested)

ted or djc, please review?
Attachment #361147 - Flags: review?(ted.mielczarek)
Attachment #361147 - Flags: review?(dirkjan)
Attachment #361147 - Flags: review?
Attachment #361147 - Flags: review?(dirkjan) → review+
Comment on attachment 361147 [details] [diff] [review]
patch - v1 (untested)

Seems fine to me.
Attachment #361147 - Flags: review?(ted.mielczarek)
http://hg.mozilla.org/hg_templates/rev/244027b2b6dd

Pushing live now.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Group: webtools-security
The example URLs now return 500 ISEs for the bad URLs, but normal stuff still seems to work. Is that expected?
Oh, looks like we need to import escape from mercurial.templatefilters.
Attachment #361228 - Flags: review?(dirkjan)
Comment on attachment 361228 [details] [diff] [review]
craziness setting in at a young age

n/m, ignore me.
Attachment #361228 - Attachment is obsolete: true
Attachment #361228 - Flags: review?(dirkjan)
So have the 500 ISE's been fixed now? What was the problem with that?
Attachment #361228 - Attachment description: Import 'escape' from mercurial.templatefilters - v1 → craziness setting in at a young age
I found some trivial problem on 500IES's message.
(root@localhost should be correct server operator's mail address)
I filed it as bug 477563.
mod_wsgi (pid=12696): Exception occurred processing WSGI script '/repo/hg/webroot_wsgi/hgwebdir.wsgi'.
Traceback (most recent call last):
  File "/usr/lib/python2.4/site-packages/mercurial/hgweb/request.py", line 100, in run_wsgi
    return application(env, respond)
  File "/usr/lib/python2.4/site-packages/mercurial/hgweb/hgwebdir_mod.py", line 74, in __call__
    self.run_wsgi(req)
  File "/usr/lib/python2.4/site-packages/mercurial/hgweb/hgwebdir_mod.py", line 121, in run_wsgi
    hgweb(repo).run_wsgi(req)
  File "/usr/lib/python2.4/site-packages/mercurial/hgweb/hgweb_mod.py", line 255, in run_wsgi
    req.write(content)
  File "/usr/lib/python2.4/site-packages/mercurial/hgweb/request.py", line 59, in write
    for part in thing:
  File "/usr/lib/python2.4/site-packages/mercurial/templater.py", line 126, in __call__
    v = self.filters[f](v)
  File "/usr/lib/python2.4/site-packages/mercurial/templatefilters.py", line 132, in <lambda>
    "escape": lambda x: cgi.escape(x, True),
  File "/usr/lib/python2.4/cgi.py", line 1039, in escape
    s = s.replace("&", "&amp;") # Must be done first!
AttributeError: 'list' object has no attribute 'replace'
(In reply to comment #9)
> So have the 500 ISE's been fixed now? What was the problem with that?

See comment #11. Any help would be appreciated! :)
This should do the job:

diff --git a/pushlog-feed.py b/pushlog-feed.py
--- a/pushlog-feed.py
+++ b/pushlog-feed.py
@@ -402,8 +402,8 @@
                 rev=0,
                 entries=lambda **x: changelist(limit=0,**x),
                 latestentry=lambda **x: changelist(limit=1,**x),
-                startdate='startdate' in req.form and req.form['startdate'] or '1 week ago',
-                enddate='enddate' in req.form and req.form['enddate'] or 'now',
+                startdate='startdate' in req.form and req.form['startdate'][0] or '1 week ago',
+                enddate='enddate' in req.form and req.form['enddate'][0] or 'now',
                 querydescription=query.description(),
                 archives=web.archivelist("tip"))
That does indeed work. Here's the patch and my r= for it successfully working. I'll push this to the repo shortly.
Attachment #361231 - Flags: review+
I tested testcase in comment #0 and comment #1, and both of them are correctly HTML escaped.
--> VERIFIED.
Status: RESOLVED → VERIFIED
I think 'critical' is a little overstated. hg.mozilla.org has no cookies and is read-only. AFAICT, there was no actual risk here.
Changed importance from critical to major, baucase of comment #17.
Severity: critical → major
Adding keywords to bugs for metrics, no action required.  Sorry about bugmail spam.
Keywords: wsec-xss
Product: mozilla.org → Release Engineering
Product: Release Engineering → Developer Services
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: