I changed my full name to <b>Jan!</b> and that worked (as in: bold font). Similary, when I changed it to Jan! <script>alert("XSS: see bug #!\n\n" + document.cookie)</script> that ran the script without a hitch. This is a simple way to steal people's cookies, and should be avoided, by escaping/"de-HTML-ing" any and all user input.
-> security group I think I fixed this for 2.16/2.17 when I did the general html filtering cleanup. That was templated, so it can't be backported to 2.14.
Created attachment 84823 [details] [diff] [review] backported patch to 2.14.1 This problem is already fixed on the tip, and this patch just fixed it on b.m.o and also applies to the 2.14.1 branch.
Comment on attachment 84823 [details] [diff] [review] backported patch to 2.14.1 r=gerv. Gerv
seems to wfm :-) thanks for fixing
Did "Jan!" change the user name back? This morning, I got an alert, and not I don't, but I don't see the <script> tags at all, even escaped. Did any other place need this (assignee and/or bug comment?)
Wanted for 2.14.2. (BTW, we should be using a groupset query rather than status whiteboard for security bugs, now we have our own group)
Comment on attachment 84823 [details] [diff] [review] backported patch to 2.14.1 r= justdave pretty obvious.
leave the security bit set and change the status whiteboard to "applied to 2.14.2" after you check it in. That's what I'm looking for for buglist of what went into it when we release it.
Re: #5, Bradley Baetz: yes, I changed my name. Any and all tags are now escaped, or so it seems.
Checked in to branch BUGZILLA-2_14_1-BRANCH (note: it needs to be made more clear on www.bugzilla.org what the branch name is.) Checking in bug_form.pl; /cvsroot/mozilla/webtools/bugzilla/bug_form.pl,v <-- bug_form.pl new revision: 184.108.40.206; previous revision: 220.127.116.11 done Gerv
No, they're not... New patch coming.
Created attachment 85079 [details] [diff] [review] part 2 This fixes the other usages of realname in bugform.pl for 2.14. This has already been fixed for 2.16. Do we use realname anywhere else? Its value_quote'd in editusers.cgi.
Comment on attachment 85079 [details] [diff] [review] part 2 r=gerv; I'll take you word for it that there aren't any more. Should we be searching every CGI for these? :-| Gerv
Yes Gerv, we decided on IRC that's your job.
I grepped 2.14 for DBID_to_real_or_loginname, and that was it. I don't know of anywhere else we currently use the realname. Do you? I went through 2.16 a while back to fix these issues, although I didn't consider the security aspect. I don't know if what I did could be considered an audit, though.
I meant "should we check everywhere we print something without escaping it first?" That would be a big job... Gerv
As I said, I tried to do that a while back, on the template stuff. I got everywhere I noticed, but that doesn't mean that I got everywhere...
Yes, but you did it for 2.16, didn't you? I'm talking about 2.14.2. Gerv
Comment on attachment 85079 [details] [diff] [review] part 2 Looks good to me, but I agree w/ Gerv... maybe someone needs to audit the source for this; are we *sure* this doesn't affect 2.16rc1?
Checked into the branch. Anyone who wants to audit, feel free.
2.14.2 is out, removing security group.