Closed Bug 237627 Opened 21 years ago Closed 20 years ago

reports.cgi doesn't detect invalid dataset name

Categories

(Bugzilla :: Reporting/Charting, defect)

2.17.7
defect
Not set
trivial

Tracking

()

RESOLVED FIXED
Bugzilla 2.16

People

(Reporter: wicked, Assigned: wicked)

Details

(Whiteboard: [fixed in 2.16.6] [fixed in 2.18rc1])

Attachments

(2 files)

There is code in reports.cgi chart_image_name sub that supposedly would yell if an invalid dataset name is specified. Unfortunately the code uses broken regexp so it won't detect the condition correctly.
This new regexp will now correctly detect if there are other than letters, numbers or :-characters in any of the dataset names.
Attachment #144032 - Flags: review?(vlad)
Attachment #144032 - Flags: review?(vlad) → review+
Status: NEW → ASSIGNED
Flags: approval?
Target Milestone: --- → Bugzilla 2.18
Flags: approval? → approval+
Let's hold this for a security advisory. This can be exploited as an arbitrary filename path or XSS.
Group: webtools-security
Flags: approval+ → approval?
Just checked... 2.16 is affected by this, too, so we need a patch for 2.16
Whiteboard: [wanted for 2.16.6] [ready for 2.18rc1]
hmmm, okay, I can't actually find a way to actually exploit this. Chart::Base dies with "invalid symbol reference" if you try to pass in a dataset name that contains a /, so that eliminates pathname garbage. And it doesn't appear to actually display the datasets that it can't actually find except as part of the image filename, which obviously remains escaped somehow... <img src="graphs/-All-_NEW_ASSIGNED_REOPENED_UNCONFIRMED_%3Cscript%3Ealert%28%27foo%27%29.png"> Anyone else have any ananysis they can provide? We should probably still fix this in 2.16, but I'm starting to think it's not an exploitable security hole now...
Tested and it seems same patch will apply to tip of 2.16 branch flawlessly.
Whiteboard: [wanted for 2.16.6] [ready for 2.18rc1] → [ready for 2.16.6] [ready for 2.18rc1]
Target Milestone: Bugzilla 2.18 → Bugzilla 2.16
Flags: approval2.16?
Flags: blocking2.18+
Flags: blocking2.16.6+
While attachment 144032 [details] [diff] [review] is right for 2.16, this is de-bitrotted to apply smoothly for 2.18
Attachment #152375 - Flags: review?(justdave)
Attachment #152375 - Flags: review?(justdave) → review+
Flags: approval2.16? → approval2.16+
Flags: approval? → approval+
checked in on both branches
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Whiteboard: [ready for 2.16.6] [ready for 2.18rc1] → [fixed in 2.16.6] [fixed in 2.18rc1]
Clearing the security flag on disclosed bugs
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: