Closed Bug 1184699 Opened 9 years ago Closed 9 years ago

XSS/HTML Injection in sharing app through app.manifest.name

Categories

(Firefox OS Graveyard :: Gaia::P2P Sharing, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::P2P Sharing
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 unaffected, b2g-v2.2r unaffected, b2g-master wontfix)

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-v2.2r --- unaffected
b2g-master --- wontfix

People

(Reporter: tedd, Unassigned)

References

Details

(Keywords: sec-high, wsec-xss) 

The sharing app uses the downloaded app name in an innerHTML statement without sanitizing the input[1], this can lead to an XSS/HTML injection.

I discussed this with :freddyb on irc (hence the sec-high rating).
This can be fixed similar to Bug 1177359, by using the Sanitizer Library[2] or it is probably preferred to not use innerHTML at all and use .textContent instead after '<p>' has been assigned.

[1] https://github.com/fxos/sharing/blob/5a678a89b7a78c8bc986b85282bcd6c3d19b6bb0/app/js/views/progress_dialog_view.js#L27
[2] https://developer.mozilla.org/en-US/Firefox_OS/Security/Security_Automation
talked to :drs and the p2p sharing app won't be in 2.5 or any further releases.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
Is this something that affects older releases, though?
Flags: needinfo?(cr)
AFAICS, the p2p sharing app was only ever bundled with the Foxfood device.
Flags: needinfo?(cr)
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.