Closed
Bug 1159136
Opened 9 years ago
Closed 9 years ago
[Stingray][Smart-System] XSS/HTML injection in app modal dialog
Categories
(Firefox OS Graveyard :: Gaia::TV::System, defect)
Firefox OS Graveyard
Gaia::TV::System
Tracking
(b2g-v1.4 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 fixed, b2g-master fixed)
RESOLVED
FIXED
2.2 S11 (1may)
| Tracking | Status | |
|---|---|---|
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | fixed |
| b2g-master | --- | fixed |
People
(Reporter: suchiu, Assigned: suchiu)
References
Details
(Keywords: sec-high, wsec-xss, Whiteboard: stingray-picked(2015/5/19) [b2g-adv-main2.2-])
Attachments
(1 file)
Same issue in Bug 1158715. According to following link https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/app_modal_dialog.js#L310, where 'title' comes from app name in manifest, XSS injection may happen when others try to create a app name with escape characters.
|
||
Comment 1•9 years ago
|
||
Thank you for sharing the progress to me. As far as I looked at the same code there are several innerHTML in it that would be exploitable. https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/app_modal_dialog.js#L330 And the similar code also exists in System app for handheld variants, it seems it may not be used from any apps at the moment. https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/app_modal_dialog.js Please check them as well.
|
Assignee | |
Comment 2•9 years ago
|
||
1. Change innerHTML to textContent in app_modal_dialog in order to prevent potential XSS injection.
Attachment #8599645 -
Flags: review?(im)
|
||
Comment 3•9 years ago
|
||
Comment on attachment 8599645 [details] [review] Pull Request Looks good to me. But please remove escapeHTML code.
Attachment #8599645 -
Flags: review?(im) → review+
|
|
||
Comment 4•9 years ago
|
||
Hi Muneaki, May you file another bugs for apps/system app? Although smart-system is a special fork of system app, we had done some modifications. The patch of those two may be different. According to our understanding, bug 1159136 and bug 1159137 affected both system apps. (In reply to Muneaki Nishimura from comment #1) > Thank you for sharing the progress to me. > > As far as I looked at the same code there are several innerHTML in it that > would be exploitable. > https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/ > app_modal_dialog.js#L330 > > And the similar code also exists in System app for handheld variants, it > seems it may not be used from any apps at the moment. > https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/ > app_modal_dialog.js > Please check them as well.
Flags: needinfo?(sdna.muneaki.nishimura)
|
|
||
Updated•9 years ago
|
|
|
||
Comment 5•9 years ago
|
||
(In reply to John Hu [:johnhu][:johu][:醬糊小弟] from comment #4) > Hi Muneaki, > > May you file another bugs for apps/system app? Although smart-system is a > special fork of system app, we had done some modifications. The patch of > those two may be different. According to our understanding, bug 1159136 and > bug 1159137 affected both system apps. > > (In reply to Muneaki Nishimura from comment #1) > > Thank you for sharing the progress to me. > > > > As far as I looked at the same code there are several innerHTML in it that > > would be exploitable. > > https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/ > > app_modal_dialog.js#L330 > > > > And the similar code also exists in System app for handheld variants, it > > seems it may not be used from any apps at the moment. > > https://github.com/mozilla-b2g/gaia/blob/master/apps/system/js/ > > app_modal_dialog.js > > Please check them as well. OK, I filed a new bug 1160069 for requesting to reflect following two changes to System app. https://github.com/mozilla-b2g/gaia/pull/29786 https://github.com/mozilla-b2g/gaia/pull/29811
Flags: needinfo?(sdna.muneaki.nishimura)
|
|
Assignee | |
Updated•9 years ago
|
Keywords: checkin-needed
|
||
Comment 6•9 years ago
|
||
Master: https://github.com/mozilla-b2g/gaia/commit/9143008f97f47fe76fd44cd1189314dcc7955a17
Status: NEW → RESOLVED
Closed: 9 years ago
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → affected
status-b2g-master:
--- → fixed
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → 2.2 S11 (1may)
|
|
||
Comment 7•9 years ago
|
||
v2.2: https://github.com/mozilla-b2g/gaia/commit/37a1e7bb6d943eed108c4cdf85915694a14b572a
|
||
Updated•9 years ago
|
Whiteboard: stingray-picked(2015/5/19) → stingray-picked(2015/5/19) [b2g-adv-main2.2-]
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•