Closed
Bug 1027658
Opened 10 years ago
Closed 6 years ago
Unnecessary XSS sink (Calendar.App.go)
Categories
(Firefox OS Graveyard :: Gaia::Calendar, defect)
Firefox OS Graveyard
Gaia::Calendar
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: nicolas.golubovic+bugzilla, Unassigned)
References
Details
(Keywords: sec-low)
Calendar.App.go is a XSS sink, as can be verified by executing: Calendar.App.go(‘javascript:alert(1)’); This behaviour is generated by line 182 of js/ext/page.js [1]: window.location = ctx.canonicalPath; To my understanding, the application looks for a suited page handler and if it does not find one, the string is directly put into the window.location property. I think this is perfectly fine but there should be an additional check before putting the string into window.location. It would be sufficient to check if the URL starts with /^https?:/ (in RegEx notation). The security impact of this is low in my opinion. I did not find a way to exploit this but there certainly were some code paths which almost made this a vulnerability. Additionally, CSP should mitigate this attack vector. [1] https://github.com/mozilla-b2g/gaia/blob/master/apps%2Fcalendar%2Fjs%2Fext%2Fpage.js#L182
Comment 1•10 years ago
|
||
Not sure we need to hide this, but if we do this should go into B2G. Also CCing some calendar folks: Can you please add people from your team as necessary?
Group: core-security → b2g-core-security
Updated•10 years ago
|
Group: b2g-core-security → core-security
Comment 3•10 years ago
|
||
Transferring ni? to :gaye for prioritization.
Flags: needinfo?(doliver) → needinfo?(gaye)
Updated•9 years ago
|
Group: core-security → b2g-core-security
Comment 4•6 years ago
|
||
FirefoxOS is no longer under active development.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(gaye)
Resolution: --- → INCOMPLETE
Updated•6 years ago
|
Group: b2g-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•