Closed
Bug 325058
Opened 19 years ago
Closed 19 years ago
http://landfill.bugzilla.org//paul/ login form redirects me to paul.fr
Categories
(Core :: Networking, defect)
Core
Networking
Tracking
()
RESOLVED
DUPLICATE
of bug 325079
People
(Reporter: LpSolit, Assigned: darin.moz)
References
()
Details
Attachments
(2 files)
This URL contains a double slash // and the login form on Bugzilla redirects me outside bugzilla.org, in my case paul.fr (but I suspect it depends on your locale, in my case: french).
Discussing with CTho on #developers, it looks like the login and password have been sent to paul.fr instead of landfill.bugzilla.org, meaning that they have now my admin login and password for our QA installations.
I'm using Fx 1.5.0.1 20060111.
Reproduced on XP trunk SeaMonkey, updating OS/Version.
"paul" doesn't resolve to anything for me though, so data I enter goes nowhere and I just get an error page.
OS: Linux → All
Version: 1.8 Branch → Trunk
Reporter | ||
Comment 2•19 years ago
|
||
gavin asked me to attach my http log while reproducing the problem.
Comment 3•19 years ago
|
||
As far as I can tell, this isn't a bug. You are ending up at paul.fr because that's what "paul" ends up being, after being passed through the keyword protocol handler (you should get the same result typing just "paul" in the address bar). None of the submitted data is actually being forwarded to the keyword result, as far as I can tell. You can test this by setting keyword.url to something like "http://gavinsharp.com/tmp/echo.php?keyword=", which just echoes passed in data, and following the same steps to reproduce.
Without the data being passed, this bug is essentially just "you get redirected unexpectedly", and there are existing bugs on not redirecting to keyword.url for things not explicitly typed in the URL bar (bug 310826?).
Reporter | ||
Comment 4•19 years ago
|
||
OK, so feel free to INVALIDate this bug.
This testcase doesn't involve keywords, and does send gavin your password.
Comment 6•19 years ago
|
||
Is this a landfill bug in the way it handles multiple installations? The form action is derived from the URL. If you don't specify the double-slash and visit the intended http://landfill.bugzilla.org/paul/ then the form action is "/paul/index.cgi" which logs into landfill. If you use the double-slash it's copied into the form action making 'paul' a hostname. Landfill should do some sanity-checking when generating the form action, or specify the complete url.
Why is this filed as a networking bug? It looks like Gecko is doing exactly what the page is telling it to do (submit the form to "paul").
(In reply to comment #6)
> Why is this filed as a networking bug? It looks like Gecko is doing exactly
> what the page is telling it to do (submit the form to "paul").
I think the question is, is treating // as http:// instead of / a good decision from a security perspective? Presumably bugzilla isn't the only software in the world that fails to strip double-slashes.
Reporter | ||
Comment 8•19 years ago
|
||
The problem is not specific to landfill, it affects *all* Bugzilla installations.
The problem is that template/en/default/account/auth/login-small.html.tmpl uses:
<form name="login" action="[% cgi.script_name FILTER html %]" method="POST">
so when you enter //foo, you get action="//foo/index.cgi" which redirects you outside your Bugzilla installation with your login and password.
It could as well be a bug in CGI.pm itself. Anyway, Bugzilla should probably use Param('urlbase').
Reporter | ||
Comment 9•19 years ago
|
||
Either comment 7 is a WONTFIX and I move this bug in the Bugzilla product or I open a new bug for Bugzilla. dveditz?
Updated•19 years ago
|
Summary: http://landfill.bugzilla.org//paul/ redirects me to paul.fr (or anywhere else outside bugzilla.org) → http://landfill.bugzilla.org//paul/ login form redirects me to paul.fr
Reporter | ||
Comment 10•19 years ago
|
||
bug 325079 has been opened to fix the bug in Bugzilla (affects versions >= 2.20).
Comment 11•19 years ago
|
||
(In reply to comment #7)
> I think the question is, is treating // as http:// instead of / a good decision
> from a security perspective?
It's in the spec (rfc 2396 section 5): "A relative reference beginning with two slash characters is termed a network-path reference, as defined by <net_path> in Section 3. Such references are rarely used."
We can decide they're bad news but we'll be breaking some unknown number of sites. IE does the same so "fixing" Gecko doesn't solve the bugzilla problem.
Comment 12•19 years ago
|
||
So given the that this is correct per the spec, and that exploiting it requires that the server uses the "script name" as a form action attribute in addition to having a URL-like path to the script, I think this is INVALID.
Hardware: PC → All
Comment 13•19 years ago
|
||
*** This bug has been marked as a duplicate of 325079 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Comment 14•19 years ago
|
||
This bug this is a duplicate of has now had a security advisory issued.
http://www.bugzilla.org/security/2.18.4/ (issue #3)
Removing the security flag.
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•