As reported by firstname.lastname@example.org to the security group, the uri (which is added to the page) isn't html escaped: <quote> + Exploit code: ~~~~~~~~~~~~~~~~~ <a href="ftp://'FTPserver' or 'FTP+HTTPserver'/#%3C%2ftitle%3E%3Cscript%3Ealert(%22exploit%22);%3C%2fscript%3E">Exploit</a> </quote> (You need to add a valid ftp server in there) Patch coming
Created attachment 89011 [details] [diff] [review] patch This rearranges code a bit so that we don't leak while using the raw pointers the escaping functions require (Also fixes an existing leak of |spec|, too)
Status: NEW → ASSIGNED
Keywords: patch, review
Target Milestone: --- → mozilla1.0.1
Comment on attachment 89011 [details] [diff] [review] patch r-dougt
Attachment #89011 - Flags: review+
*** Bug 154029 has been marked as a duplicate of this bug. ***
Comment on attachment 89011 [details] [diff] [review] patch >Index: nsIndexedToHTML.cpp >+ char* spec = nsCRT::strdup(titleUri.get()); >+ nsXPIDLString unEscapeSpec; >+ rv = mTextToSubURI->UnEscapeAndConvert(encoding, spec, >+ getter_Copies(unEscapeSpec)); >+ nsCRT::free(spec); why strdup? second param to UnEscapeAndConvert is |const char *|, so what's wrong with |titleUri.get()|? justify/fix and sr=darin
darin: Historical reasons - that used to call nsUnescape. Checked in with that change to the trunk; I'll mail drivers for the branch.
Status: ASSIGNED → RESOLVED
Last Resolved: 16 years ago
Keywords: approval, mozilla1.0.1
Priority: -- → P1
Resolution: --- → FIXED
Whiteboard: [FIXED ON TRUNK]
Comment on attachment 89011 [details] [diff] [review] patch adding darin's sr.
please checkin to the 1.0.1 branch. once there, remove the "mozilla1.0.1+" keyword and add the "fixed1.0.1" keyword.
Keywords: mozilla1.0.1 → mozilla1.0.1+
Fixed on branch, too (after my checkin last night was backed out because the tree was closed. Oops)
Keywords: mozilla1.0.1+ → fixed1.0.1
Whiteboard: [FIXED ON TRUNK] → [FIXED ON TRUNK][FIXED ON BRANCH]
Verified on 2002-06-27-trunk and 2002-06-27-branch build on Win2K. Above URL displays the direcrtory contents.
Status: RESOLVED → VERIFIED
Keywords: fixed1.0.1 → verified1.0.1
You need to log in before you can comment on or make changes to this bug.