2 years ago
a year ago


(Reporter: bughunter5672, Unassigned)






2 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170628075643

Steps to reproduce:

1. Comment any bug with below payload.


Actual results:

Could not parse the 'params' argument as valid JSON. Error: , or } expected while parsing object/hash, at character offset 238 (before "astNode=pop();astNod...") at /data/www/ line 375. Value:

Expected results:

It should n't disclose the internal path which is normally not visible for remote users.

Comment 1

2 years ago
> It should n't disclose the internal path which is normally not visible for remote users.

Why not? Which problem does the disclosure create? This ticket is missing the description of an actual problem.

Also note that Bugzilla is free software. Anyone can inspect its source code as it is available to public.
Flags: needinfo?(bughunter5672)
Thanks for the bug report! I can understand how from a different context (of closed source web apps) this could be a problem,
but our source code is not a secret. 

Note that we do filter stack traces -- stack traces can show the filename and even the method names, but not the arguments to those methods (this isn't the case with this error, which has no trace).

If you think the error message should be friendlier, you could submit a pull request against the repo.
The offending code is here;

Otherwise I'll close this as WONTFIX as there many other things that need fixing.

In the future if you find something that might be a security bug on, please use this form: as it will ensure the bug is created in a security group (to prevent it from being totally public, as this bug is) until a person has time to look at it.
Assignee: webservice → nobody
Component: WebService → General
Ever confirmed: true
Flags: needinfo?(bughunter5672)
Product: Bugzilla →
QA Contact: default-qa
Version: unspecified → Production
Duplicate of this bug: 1389445
Last Resolved: a year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.