Closed
Bug 1229894
Opened 10 years ago
Closed 10 years ago
Backport bug upstream 1221518 to bmo/4.2 [SECURITY] XSS in dependency graphs when displaying the bug summary
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: dkl, Assigned: dkl)
References
Details
Attachments
(1 file)
|
1.47 KB,
patch
|
dylan
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1221518 +++
During the generation of a dependency graph also the code for the html image map is generated if a local dot installation is used.
With html escaped characters in a bug summary it is possible to inject custom lines in the *.map file with which the CreateImagemap function generates html code without filtering.
poc:
- configure bugzilla to use a local dot installation to generate a dependency graph
- create a bug with the following summary: default "><script>alert(1)</script> G
- visit /showdependencygraph.cgi?id=<BUG-ID>&showsummary=on&display=tree&rankdir=TB, a javascript alert prompt will show up
|
Assignee | |
Comment 1•10 years ago
|
||
Straight backport of the 4.2 patch on bug 1221518 fixes the issue
Attachment #8694885 -
Flags: review?(dylan)
|
||
Comment 2•10 years ago
|
||
Comment on attachment 8694885 [details] [diff] [review]
1229894_1.patch
Review of attachment 8694885 [details] [diff] [review]:
-----------------------------------------------------------------
r=dylan
Attachment #8694885 -
Flags: review?(dylan) → review+
|
||
Comment 3•10 years ago
|
||
hot patched in bugzillaadm:/data/bugzilla/www/bugzilla.mozilla.org, deployed to web heads, and httpd restarted.
note: any regular BMO push will overwrite that.
|
|
Assignee | |
Comment 4•10 years ago
|
||
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
8a1506c..8f50123 master -> master
Group: webtools-security
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•