Closed
Bug 1450345
(CVE-2018-5185)
Opened 7 years ago
Closed 7 years ago
prevent form submission for <button> too
Categories
(Thunderbird :: Security, enhancement)
Tracking
(thunderbird_esr5260+ fixed, thunderbird60 fixed, thunderbird61 fixed)
RESOLVED
FIXED
Thunderbird 61.0
People
(Reporter: mkmelin, Assigned: mkmelin)
References
Details
(Keywords: csectype-disclosure, sec-low)
Attachments
(1 file)
|
1.87 KB,
patch
|
jorgk-bmo
:
review+
jorgk-bmo
:
approval-comm-beta+
jorgk-bmo
:
approval-comm-esr52+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #1419417 +++
As reported in bug 1419417, form submission can still happen in Thunderbird. I thought that was disabled, but it turns out we missed the one case, that you can submit a form with <button type="submit"> too.
Normally, as soon as the user clicks any form element we just open the for action in the browser (as a GET). This is how it's been for ages. The idea is to prevent users from bing tricked into submitting info to wrong places.
As a test case, try the eml in https://bugzilla.mozilla.org/attachment.cgi?id=8930485. Once entering the form area, the browser should open and by that prevent further interaction with the form inside thunderbird.
|
Assignee | |
Updated•7 years ago
|
Attachment #8964028 -
Flags: review?(jorgk)
|
||
Comment 1•7 years ago
|
||
Comment on attachment 8964028 [details] [diff] [review]
bugXXX_prevent_form_sub.patch
Not a totally hard review ;-) I tested with the given test case and click invokes the browser.
Attachment #8964028 -
Flags: review?(jorgk) → review+
|
|
||
Comment 2•7 years ago
|
||
https://hg.mozilla.org/comm-central/rev/48d7285be1417167d9e230f28b7c7a85db1f4a53
prevent form submission for <button> element. r=jorgk
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 61.0
|
|
||
Comment 3•7 years ago
|
||
Comment on attachment 8964028 [details] [diff] [review]
bugXXX_prevent_form_sub.patch
I guess you want uplift here, right?
Attachment #8964028 -
Flags: approval-comm-beta+
|
|
||
Comment 4•7 years ago
|
||
Beta (TB 60 beta 2):
https://hg.mozilla.org/releases/comm-beta/rev/80d299efc73ba3440b371eaf3bb1375c15c53625
status-thunderbird60:
--- → fixed
status-thunderbird61:
--- → fixed
|
||
Updated•7 years ago
|
Group: mail-core-security → core-security-release
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8964028 -
Flags: approval-comm-esr52?
|
|
||
Updated•7 years ago
|
Attachment #8964028 -
Flags: approval-comm-esr52? → approval-comm-esr52+
|
|
||
Comment 5•7 years ago
|
||
TB 52.8 ESR:
https://hg.mozilla.org/releases/comm-esr52/rev/2ebcd2081d704f1ed6f36d14bc103cddcc37e0b4
status-thunderbird_esr52:
--- → fixed
tracking-thunderbird_esr52:
--- → 60+
|
|
||
Updated•7 years ago
|
Keywords: csectype-disclosure,
sec-low
|
||
Updated•7 years ago
|
Alias: CVE-2018-5185
|
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•