Closed Bug 1027658 Opened 10 years ago Closed 6 years ago

Unnecessary XSS sink (Calendar.App.go)

Categories

(Firefox OS Graveyard :: Gaia::Calendar, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Calendar
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: nicolas.golubovic+bugzilla, Unassigned)

References

Details

(Keywords: sec-low) 

Calendar.App.go is a XSS sink, as can be verified by executing:

Calendar.App.go(‘javascript:alert(1)’);

This behaviour is generated by line 182 of js/ext/page.js [1]:
window.location = ctx.canonicalPath;

To my understanding, the application looks for a suited page handler and if it does not find one, the string is directly put into the window.location property. I think this is perfectly fine but there should be an additional check before putting the string into window.location. It would be sufficient to check if the URL starts with /^https?:/ (in RegEx notation).

The security impact of this is low in my opinion. I did not find a way to exploit this but there certainly were some code paths which almost made this a vulnerability. Additionally, CSP should mitigate this attack vector.


[1] https://github.com/mozilla-b2g/gaia/blob/master/apps%2Fcalendar%2Fjs%2Fext%2Fpage.js#L182
Not sure we need to hide this, but if we do this should go into B2G.
Also CCing some calendar folks: Can you please add people from your team as necessary?
Group: core-security → b2g-core-security
Group: b2g-core-security → core-security
Can we nominate this for your backlog, Dylan?
Flags: needinfo?(doliver)
Transferring ni? to :gaye for prioritization.
Flags: needinfo?(doliver) → needinfo?(gaye)
Group: core-security → b2g-core-security
FirefoxOS is no longer under active development.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(gaye)
Resolution: --- → INCOMPLETE
Group: b2g-core-security
You need to log in before you can comment on or make changes to this bug.