Closed Bug 368858 Opened 18 years ago Closed 18 years ago

Need to sanitize event dialog URL field to prevent script insertion

Categories

(Calendar :: Security, defect)

Product:
Calendar
Component:
Security
Version:
Lightning 0.3
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
Lightning 0.3

People

(Reporter: mattwillis, Assigned: mattwillis)

References

Details

(Whiteboard: [fixed0.3.1])

Attachments

(1 file)

Only passes http[s] urls to the browser
1.42 KB, patch
dmosedale
: first-review+
dmosedale
: second-review+
Details | Diff | Splinter Review 
Currently, you can put "javascript:alert('foo');" in the visit URL field.
With Ln/Fx it will show an alert.  It's not clear if this is exploitable in Ln/Tb or Sb.

We should sanitize the URLs so that only http:// or https:// URLs are permitted to be entered or launched.
Flags: blocking-calendar0.3.1+
Assignee: nobody → lilmatt
Status: NEW → ASSIGNED

        Attachment #253501 -
        Flags: second-review?(dmose)

        Attachment #253501 -
        Flags: first-review?(dveditz)

    
  
Whiteboard: [patch in hand][waiting on dveditz, dmose review]

    
    

    
  
Comment on attachment 253501 [details] [diff] [review]
Only passes http[s] urls to the browser

My understanding of dveditz' comments in person were that he gives an r+ for this.  r2+ with an added XXX comment that we probably want to someday do this using the nsIURI parser instead of by hand (as suggested by dveditz :).

        Attachment #253501 -
        Flags: second-review?(dmose)

        Attachment #253501 -
        Flags: second-review+

        Attachment #253501 -
        Flags: first-review?(dveditz)

        Attachment #253501 -
        Flags: first-review+

    
    

    
  
Patch with nits checked in on:
  SUNBIRD_0_3_BRANCH
  LIGHTNING_0_3_BRANCH
  MOZILLA_1_8_BRANCH
  trunk

-> FIXED
Whiteboard: [patch in hand][waiting on dveditz, dmose review] → [fixed0.3.1]

    
  
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
yeah, r=me, but not hand-parsing would be better. Seems safe enough in this case.
Group: security

    
    

    
  
VERIFIED with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4pre) Gecko/20070406 Calendar/0.5pre.

Message in error console:
Error: launchBrowser: Invalid URL provided: javascript:alert('foo'); Only http:// and https:// URLs are valid.
Source File: chrome://calendar/content/applicationUtil.js
Line: 88
Status: RESOLVED → VERIFIED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: