Closed
Bug 152688
Opened 23 years ago
Closed 19 years ago
doctor error message does not escape input
Categories
(Webtools Graveyard :: Doctor, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: reed)
References
()
Details
(Whiteboard: security)
Attachments
(1 file)
|
1.17 KB,
patch
|
mkanat
:
review+
|
Details | Diff | Splinter Review |
http://doctor.mozilla.org/doctor.cgi?action=edit&file=<script>alert(5)</script>
Result: two dialogs and confused text.
Expected: no dialogs and text like "Cannot find file <script>alert(5)</script>".
This is bad because a page could link to a URL similar to the one above and then
read the user's CVS password from password manager. People being able to steal
bugzilla passwords is bad, but people being able to steal CVS passwords is very
bad. Please check Doctor for other similar bugs.
|
||
Comment 1•23 years ago
|
||
Checking in doctor.cgi;
/cvsroot/mozilla/webtools/doctor/doctor.cgi,v <-- doctor.cgi
new revision: 1.10; previous revision: 1.9
done
RCS file: /cvsroot/mozilla/webtools/doctor/templates/cvs-error.tmpl,v
done
Checking in templates/cvs-error.tmpl;
/cvsroot/mozilla/webtools/doctor/templates/cvs-error.tmpl,v <-- cvs-error.tmpl
initial revision: 1.1
done
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
|
||
Updated•23 years ago
|
Group: security? → webtools-security?
|
Reporter | |
Updated•22 years ago
|
Whiteboard: security
|
||
Updated•22 years ago
|
Group: webtools-security
|
Assignee | |
Updated•19 years ago
|
QA Contact: asa → doctor
|
||
Comment 2•19 years ago
|
||
Has this regressed? Or was it only fixed for the edit action?
http://sla.ckers.org/forum/read.php?3,44,2090,page=21#msg-2092
Group: webtools-security
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•19 years ago
|
Group: webtools-security
|
|
Assignee | |
Comment 3•19 years ago
|
||
Seems the "FILTER html" part on the message variable got lost two months after it was originally fixed. This patch adds it back.
|
||
Comment 4•19 years ago
|
||
Comment on attachment 243292 [details] [diff] [review]
Always filter HTML from message - v1
This is obviously correct. r=mkanat by inspection (and noticing that the URL in comment 0 does indeed provide an XSS hole).
Attachment #243292 -
Flags: review?(dveditz) → review+
|
|
Assignee | |
Comment 5•19 years ago
|
||
Checking in code-error.tmpl;
/cvsroot/mozilla/webtools/doctor/templates/code-error.tmpl,v <-- code-error.tmpl
new revision: 1.4; previous revision: 1.3
done
Checking in user-error.tmpl;
/cvsroot/mozilla/webtools/doctor/templates/user-error.tmpl,v <-- user-error.tmpl
new revision: 1.4; previous revision: 1.3
done
I will request that the production Doctor instance be upgraded to latest CVS.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago → 19 years ago
Resolution: --- → FIXED
|
|
||
Comment 6•19 years ago
|
||
(In reply to comment #5)
> I will request that the production Doctor instance be upgraded to latest CVS.
Done.
|
||
Updated•9 years ago
|
Product: Webtools → Webtools Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•