Closed Bug 368858 Opened 13 years ago Closed 13 years ago

Need to sanitize event dialog URL field to prevent script insertion

Categories

(Calendar :: Security, defect, major)

Lightning 0.3
defect
Not set
major

Tracking

(Not tracked)

VERIFIED FIXED
Lightning 0.3

People

(Reporter: mattwillis, Assigned: mattwillis)

References

Details

(Whiteboard: [fixed0.3.1])

Attachments

(1 file)

Currently, you can put "javascript:alert('foo');" in the visit URL field.
With Ln/Fx it will show an alert.  It's not clear if this is exploitable in Ln/Tb or Sb.

We should sanitize the URLs so that only http:// or https:// URLs are permitted to be entered or launched.
Flags: blocking-calendar0.3.1+
Assignee: nobody → lilmatt
Status: NEW → ASSIGNED
Attachment #253501 - Flags: second-review?(dmose)
Attachment #253501 - Flags: first-review?(dveditz)
Whiteboard: [patch in hand][waiting on dveditz, dmose review]
Comment on attachment 253501 [details] [diff] [review]
Only passes http[s] urls to the browser

My understanding of dveditz' comments in person were that he gives an r+ for this.  r2+ with an added XXX comment that we probably want to someday do this using the nsIURI parser instead of by hand (as suggested by dveditz :).
Attachment #253501 - Flags: second-review?(dmose)
Attachment #253501 - Flags: second-review+
Attachment #253501 - Flags: first-review?(dveditz)
Attachment #253501 - Flags: first-review+
Patch with nits checked in on:
  SUNBIRD_0_3_BRANCH
  LIGHTNING_0_3_BRANCH
  MOZILLA_1_8_BRANCH
  trunk

-> FIXED
Whiteboard: [patch in hand][waiting on dveditz, dmose review] → [fixed0.3.1]
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
yeah, r=me, but not hand-parsing would be better. Seems safe enough in this case.
Group: security
VERIFIED with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4pre) Gecko/20070406 Calendar/0.5pre.

Message in error console:
Error: launchBrowser: Invalid URL provided: javascript:alert('foo'); Only http:// and https:// URLs are valid.
Source File: chrome://calendar/content/applicationUtil.js
Line: 88
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.