Closed
Bug 1083861
Opened 10 years ago
Closed 10 years ago
The regex for the commands allows injection of characters prior to rpp
Categories
(Firefox OS Graveyard :: Gaia, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: wmathanaraj, Assigned: marta)
References
Details
Attachments
(2 files)
|
620 bytes,
patch
|
freddy
:
feedback+
|
Details | Diff | Splinter Review |
|
1014 bytes,
patch
|
freddy
:
review+
|
Details | Diff | Splinter Review |
Impact: no direct impact currently, but unexpected application flow make causes issues in the future. Fix: match ^rpp instead of just rpp
|
||
Comment 2•10 years ago
|
||
Comment on attachment 8507719 [details] [diff] [review] bug_1083861.patch Review of attachment 8507719 [details] [diff] [review]: ----------------------------------------------------------------- ::: dev_apps/privacy-panel/js/privacy-panel.js @@ +238,4 @@ > */ > _onSMSReceived: function(event) { > var match, cmd, passkey, body = event.message.body, > + rgx = /^rpp\s(lock|ring|locate|wipe)\s([a-z0-9]{1,100})$/i; With the wipe command left out, it should be removed from the regular expression. (With the very small patch details bugzilla is showing me it also looks like "rgx" is not declared as "var rgx" (or "let rgx") and thus not properly bound to a scope. If this has not been done elswhere in the code, it will leak in the global scope)
Attachment #8507719 -
Flags: review?(fbraun) → feedback+
Attachment #8507780 -
Flags: review?(fbraun)
|
|
||
Updated•10 years ago
|
Attachment #8507780 -
Flags: review?(fbraun) → review+
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•