Closed Bug 299443 Opened 19 years ago Closed 19 years ago

attachment edit page should not render XUL attachments

Categories

(Bugzilla :: Attachments & Requests, defect)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
2.18.1
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 38862

People

(Reporter: eyalroz1, Unassigned)

Details

It seems when you upload a XUL attachment, the attachment edit page renders the
XUL, possibly also running any Javascript present within it. Even regardless of
the javascript this could pose a risk.
Is that really a Bugzilla bug or a Firefox/Seamonkey bug??

It is a Bugzilla bug.

Is there any risk in XUL attachments which is greater than that of HTML attachments?

Gerv
(In reply to comment #2)
> Is there any risk in XUL attachments which is greater than that of HTML
attachments?

I really can't say... but if javascript attachment shouldn't be allowed to run,
I would think XUL attachment shouldn't either. Plus maybe som more privileged
actions can be performed through XUL that I'm not aware of.
Eyal: unless there's a bug in Gecko, remote XUL should not have any more
privileges than remote HTML.

Yes, there is a long-standing problem here, primarily related to
cookie-stealing. We are working on how to fix it, but it's not trivial.

Gerv

*** This bug has been marked as a duplicate of 38862 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Group: webtools-security → bugzilla-security
Group: bugzilla-security → webtools-security
Group: webtools-security → bugzilla-security
This bug is being removed from the security group because the bug that it is a duplicate of is now public, since it has been fixed and a Security Advisory has been sent about it. See bug 468249 for the Security Advisory.
Group: bugzilla-security
You need to log in before you can comment on or make changes to this bug.