Closed Bug 1159137 Opened 6 years ago Closed 6 years ago

[Stingray][Smart-System] XSS/HTML injection in value picker

Categories

(Firefox OS Graveyard :: Gaia::TV::System, defect)

defect
Not set
normal

Tracking

(b2g-v1.4 unaffected, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 fixed, b2g-master fixed)

RESOLVED FIXED
2.2 S11 (1may)
Tracking Status
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- fixed
b2g-master --- fixed

People

(Reporter: suchiu, Assigned: suchiu)

References

Details

(Keywords: sec-high, wsec-xss, Whiteboard: stingray-picked(2015/5/19) [b2g-adv-main2.2-])

Attachments

(1 file)

46 bytes, text/x-github-pull-request
johnhu
: review+
Details | Review
Same issue in Bug 1158715. According to following link https://github.com/mozilla-b2g/gaia/blob/master/tv_apps/smart-system/js/value_selector/value_picker.js#L137, where variable _valueDisplayedText may be any characters coming from user data, it also has potential XSS injection vulnerability
Attached file Pull Request
1. Replace innerHTML with textContent in value picker.
Attachment #8599650 - Flags: review?(im)
Comment on attachment 8599650 [details] [review]
Pull Request

Looks good to me.
Attachment #8599650 - Flags: review?(im) → review+
No longer depends on: 1158715
Keywords: checkin-needed
Group: core-security → b2g-core-security
See Also: → 1160069
Why are we still patching security files in the tv-system app that have been ported to system?
Master: https://github.com/mozilla-b2g/gaia/commit/fd40a1f7911ac989dbca8e89de679e974de4ff41
Status: NEW → RESOLVED
Closed: 6 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → 2.2 S11 (1may)
Group: b2g-core-security → core-security
(In reply to Kevin Grandon :kgrandon from comment #3)
> Why are we still patching security files in the tv-system app that have been
> ported to system?

We still need to do it for partner.
Whiteboard: stingray-picked(2015/5/19)
Whiteboard: stingray-picked(2015/5/19) → stingray-picked(2015/5/19) [b2g-adv-main2.2-]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.