Closed
Bug 1254241
Opened 8 years ago
Closed 8 years ago
Unchecked redirect in Bugzilla auth integration
Categories
(MozReview Graveyard :: Review Board: Extension, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jwkbugzilla, Unassigned)
Details
Attachments
(1 file, 2 obsolete files)
1.49 KB,
patch
|
glob
:
review+
|
Details | Diff | Splinter Review |
Unchecked redirects allow hiding phishing websites behind seemingly legitimate Mozilla links. They also allow circumventing referrer checks on websites that enforce the referrer to be a Mozilla website. Yet MozReview allows redirecting to any URL after Bugzilla authentication. Consider the following URL:
> https://bugzilla.mozilla.org/auth.cgi?callback=https://reviewboard.mozilla.org/mozreview/bmo_auth_callback/%3Fredirect%3Dhttp://google.com/&description=MozReview
While this seems to point to BMO, for any logged in Bugzilla user this will redirect to reviewboard.mozilla.org automatically which will in turn redirect to any website (google.com in this case).
Assignee | ||
Comment 1•8 years ago
|
||
This should do it, I believe, by enforcing that all directs are local paths (i.e. start with '/').
Comment on attachment 8730394 [details] [diff] [review] bug-1254241.diff Review of attachment 8730394 [details] [diff] [review]: ----------------------------------------------------------------- r=glob lgtm
Attachment #8730394 -
Flags: review?(glob) → review+
Reporter | ||
Comment 3•8 years ago
|
||
What about protocol-relative URLs?
> https://bugzilla.mozilla.org/auth.cgi?callback=https://reviewboard.mozilla.org/mozreview/bmo_auth_callback/%3Fredirect%3D//google.com/&description=MozReview
Comment on attachment 8730394 [details] [diff] [review] bug-1254241.diff Review of attachment 8730394 [details] [diff] [review]: ----------------------------------------------------------------- (In reply to Wladimir Palant from comment #3) > What about protocol-relative URLs? > > > ..%3Fredirect%3D//google.com/&description=MozReview excellent point, thanks wladimir. mcote - how parsing the url and rejecting those that don't match the expected hostname.
Attachment #8730394 -
Flags: review+ → review-
Assignee | ||
Comment 5•8 years ago
|
||
This does the same thing, verifying that the redirect is only a path, by using urlparse. I didn't want to complicate things by checking for a correct server name; all generated redirects should be local.
Attachment #8730394 -
Attachment is obsolete: true
Attachment #8731395 -
Flags: review?(glob)
Comment on attachment 8731395 [details] [diff] [review] bug-1254241.diff Review of attachment 8731395 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Attachment #8731395 -
Flags: review?(glob) → review+
Reporter | ||
Comment 7•8 years ago
|
||
I assume that redirecting to something like a data: URL isn't possible?
Assignee | ||
Comment 8•8 years ago
|
||
Hm I could also check that the scheme is empty as well.
Assignee | ||
Comment 9•8 years ago
|
||
Once more, with feeling.
Attachment #8731395 -
Attachment is obsolete: true
Attachment #8731489 -
Flags: review?(glob)
Comment 10•8 years ago
|
||
Comment on attachment 8731489 [details] [diff] [review] bug-1254241.diff (v3) Review of attachment 8731489 [details] [diff] [review]: ----------------------------------------------------------------- r=glob
Attachment #8731489 -
Flags: review?(glob) → review+
Assignee | ||
Comment 11•8 years ago
|
||
https://hg.mozilla.org/hgcustom/version-control-tools/rev/415a3d6628d3
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 12•8 years ago
|
||
This has been deployed. Btw the link in comment 0 should be https://bugzilla.mozilla.org/auth.cgi?callback=https://reviewboard.mozilla.org/mozreview/bmo_auth_callback/%3Fredirect%3Dhttp://google.com/&description=mozreview to avoid generating a new API key (the description at the end should be all lower case). I've confirmed that it did redirect to google before and no longer does.
Group: mozreview-security
You need to log in
before you can comment on or make changes to this bug.
Description
•