Closed
Bug 1008051
Opened 12 years ago
Closed 12 years ago
Malformed HEAD's meta property="og:description" leaking URLs in the top of the listings.
Categories
(addons.mozilla.org Graveyard :: Public Pages, defect, P1)
addons.mozilla.org Graveyard
Public Pages
Tracking
(Not tracked)
VERIFIED
FIXED
2014-06
People
(Reporter: diegocr, Assigned: magopian)
References
Details
Attachments
(1 file)
|
112.30 KB,
image/png
|
Details |
postfix_summary_link.png
The <meta property="og:description" .../> is wrongly generated for addon listings containing URLs in their summary, which causes these urls to be shown at the top of the pages.
For example: https://addons.mozilla.org/en-US/firefox/addon/integrated-gmail/
|
||
Updated•12 years ago
|
Group: client-services-security
|
|
||
Comment 1•12 years ago
|
||
Thanks for the bug. I'm flagging security sensitive since this is a pretty big issue. /CC Yohan & Mathieu - would you look at this tomorrow? We'll push a fix offcycle once it lands. Thanks.
Assignee: nobody → mathieu
Severity: normal → critical
Priority: -- → P1
Target Milestone: --- → 2014-06
|
Assignee | |
Comment 2•12 years ago
|
||
This was introduced by fixing https://bugzilla.mozilla.org/show_bug.cgi?id=998745 with https://github.com/mozilla/olympia/commit/d4ccc97030b143c719d81c67b2e03c74cf6853ca
Depends on: 998745
|
|
Assignee | |
Comment 3•12 years ago
|
||
This issue _should_ not be of any security concern: it _should_ only display links that we forge ourselves, and escape any other markup. According to a few tests, there's no XSS risks on this particular bug.
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
|
Assignee | |
Comment 5•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 6•12 years ago
|
||
While that commit should fix the main problem reported here, i think that needs more sanitization. For example summaries containing double quotes will also cause a malformed meta.
|
|
Assignee | |
Comment 7•12 years ago
|
||
No worries about that, the output is automatically escaped and single and double quotes are thus escaped.
This is because the "|striptags" helper changes the input back to unsafe content (which is then automatically escaped).
|
|
Reporter | |
Comment 8•12 years ago
|
||
Great then :)
Thanks.
|
|
||
Comment 9•12 years ago
|
||
I'll remove the security flag then - I thought this was injection, I didn't realize we were doing the linking ourselves. Thanks for filing/fixing.
Group: client-services-security
|
|
||
Comment 11•11 years ago
|
||
Please add STR here or mark it with [qa-] if no QA is needed.
Flags: needinfo?(dcasorran)
|
|
Assignee | |
Comment 12•11 years ago
|
||
STR:
1/ change the summary of any addon to include links
2/ save the modification, and display the addon page: if it shows a piece of a URL at the very top of the page, then the issue is still present.
Also, if you check the page source for the "<meta property="og:description ...>" tag, it should be well formed.
|
|
||
Comment 13•11 years ago
|
||
Verified as fixed in https://addons-dev.allizom.org/ on FF29 (Win 7).
Attaching postfix screenshot.
Closing bug.
Status: RESOLVED → VERIFIED
Flags: needinfo?(dcasorran)
|
|
||
Comment 14•11 years ago
|
||
|
||
Updated•10 years ago
|
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•