Closed
Bug 148674
Opened 23 years ago
Closed 23 years ago
Boolean Charts don't work in Netpositive because '-' is sent as '%2D'
Categories
(Bugzilla :: Query/Bug List, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.14
People
(Reporter: timeless, Assigned: timeless)
References
()
Details
(Whiteboard: applied to 2.14.2)
Attachments
(1 file)
594 bytes,
patch
|
preed
:
review+
justdave
:
review+
|
Details | Diff | Splinter Review |
We need to treat this url: http://bugzilla.mozilla.org/buglist.cgi?&product=Bugzilla&product=Webtools& field0%2D0%2D0=groupset&type0%2D0%2D0=equals&value0%2D0%2D0=512 the same as we treat this url: http://bugzilla.mozilla.org/buglist.cgi?&product=Bugzilla&product=Webtools& field0-0-0=groupset&type0-0-0=equals&value0-0-0=512 User-Agent: Mozilla/3.0 (compatible; NetPositive/2.2) Be lenient in what you accept.
Comment 2•23 years ago
|
||
Comment on attachment 85984 [details] [diff] [review] url_decode name Looks like it should solve the symptoms of the problem. Also, I looked at the code on the 2.14.1-BRANCH and it has the same problem; justdave: should this be "wanted for 2.14.2"? This seems low-risk/useful enough to include there as well. -jpr
Attachment #85984 -
Flags: review+
Comment 4•23 years ago
|
||
Comment on attachment 85984 [details] [diff] [review] url_decode name r= justdave fix is pretty obvious, and I can't imagine it breaking anything. I've posted to the reviewers list regarding the suggestion of including this in 2.14.2.
Attachment #85984 -
Flags: review+
Updated•23 years ago
|
Severity: normal → major
Target Milestone: --- → Bugzilla 2.16
Comment 5•23 years ago
|
||
Are we sure that we can do this? ie is there somewhere where something won't be escaped, but will look like it is? There shouldn't be, of course, but... The real fix is to use CGI.pl
Severity: major → normal
Target Milestone: Bugzilla 2.16 → ---
Updated•23 years ago
|
Target Milestone: --- → Bugzilla 2.16
Comment 6•23 years ago
|
||
But we are using CGI.pl. In fact, that's what this patch is patching. :)
Comment 7•23 years ago
|
||
Err, CGI.pm, rather. You know, the standard perl module which should handle almost anything we throw at it.... (Yes, I know we can't use it ATM for various reasons)
Comment 8•23 years ago
|
||
For reference, here's the relevant chunk of code from CGI.pm: sub parse_params { my($self,$tosplit) = @_; my(@pairs) = split(/[&;]/,$tosplit); my($param,$value); foreach (@pairs) { ($param,$value) = split('=',$_,2); $param = unescape($param); $value = unescape($value); $self->add_parameter($param); push (@{$self->{$param}},$value); } } Notice it does the unescape both on the name and the value. So we're in the clear.
Comment 9•23 years ago
|
||
Fair enough. OK, lets get this into the 2.16 branch and trunk - the general consensus was that we didn't want this for 2.14.
Assignee | ||
Comment 10•23 years ago
|
||
fixed on HEAD and BUGZILLA-2_16-BRANCH
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 11•23 years ago
|
||
OK, in light of: http://bugzilla.mozilla.org/show_activity.cgi?id=44642 which timeless brought up on IRC, looks like this qualifies as a security bug after all.... the group bits are defined in the form as "bit-1", "bit-2", "bit-512" etc. If a member of one of those groups makes ANY changes to that bug with a browser that encodes the param names this way, those become "bit%2D1" etc. And since the "bit-1" field isn't present in the form, it gets removed, thus making the bug public without the user's intention to do so.
Whiteboard: wanted for 2.14.2
Assignee | ||
Comment 12•23 years ago
|
||
fixed on BUGZILLA-2_14_1-BRANCH
Whiteboard: wanted for 2.14.2
Target Milestone: Bugzilla 2.16 → Bugzilla 2.14
Version: 2.15 → 2.14.1
Comment 13•23 years ago
|
||
I don't really mind here, but just having the tag "security" doesn't make it serious without the "exploitable" tag. If this was the case, you should also bring bug #130821 and bug #63018 onto the branch.
Updated•23 years ago
|
Whiteboard: applied to 2.14.2
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•