Last Comment Bug 38859 - createaccount.cgi needs to escape untrusted value for e-mail address (but maybe de-escape @ symbol)
: createaccount.cgi needs to escape untrusted value for e-mail address (but may...
Status: RESOLVED FIXED
security
:
Product: Bugzilla
Classification: Server Software
Component: Bugzilla-General (show other bugs)
: unspecified
: Other Other
P3 normal (vote)
: Bugzilla 2.14
Assigned To: Tara Hernandez
: default-qa
:
Mentors:
http://bugzilla.mozilla.org/createacc...
Depends on:
Blocks: 38852
  Show dependency treegraph
 
Reported: 2000-05-10 16:25 PDT by Jesse Ruderman
Modified: 2012-12-18 20:46 PST (History)
1 user (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
simple fix, but is it sufficient? (653 bytes, patch)
2001-05-09 17:05 PDT, Myk Melez [:myk] [@mykmelez]
no flags Details | Diff | Splinter Review
the other approach (address not displayed in error message) (638 bytes, patch)
2001-05-09 17:16 PDT, Myk Melez [:myk] [@mykmelez]
no flags Details | Diff | Splinter Review
uses html_quote and displays address (597 bytes, patch)
2001-05-10 15:54 PDT, Myk Melez [:myk] [@mykmelez]
no flags Details | Diff | Splinter Review

Description User image Jesse Ruderman 2000-05-10 16:25:15 PDT

    
Comment 1 User image Jesse Ruderman 2000-05-10 16:30:14 PDT
occurs on both createaccount.cgi and the "log in" link at the bottom.

this escaping might need to be done on both branches (password e-mailed, bogus 
e-mail address).
Comment 2 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2001-02-27 19:07:11 PST
moving to real milestones...
Comment 3 User image Myk Melez [:myk] [@mykmelez] 2001-05-09 17:05:01 PDT
Created attachment 33786 [details] [diff] [review]
simple fix, but is it sufficient?
Comment 4 User image Myk Melez [:myk] [@mykmelez] 2001-05-09 17:12:47 PDT
This attachment patches CGI.pl's CheckEmailSyntax function to escape the
characters < , > , and & in the invalid email address that gets displayed to the
user as part of the error message when the user submits an invalid address. 
This method of filtering bad characters is generally considered less secure than
the alternate approach of allowing good characters (see f.e. the CERT advisory
linked from bug 38856).  Is it sufficient in this situation?

The most secure approach in this situation is not to display the invalid email
address at all, which is the approach I took in the data validation error
messages in bug 38854 and bug 38855.
Comment 5 User image Myk Melez [:myk] [@mykmelez] 2001-05-09 17:16:25 PDT
Created attachment 33789 [details] [diff] [review]
the other approach (address not displayed in error message)
Comment 6 User image Jacob Steenhagen 2001-05-09 20:42:17 PDT
Hmm... which one's better? Guess that's the question.  Showing the e-mail
address as typed allows the user to see if they made a typo so they can slap
themselves on the forehead (BTW, that encoding could be done w/the
'html_quote()' sub).  I think that would be considered "good enough" as it's the
routine used to sanitize everything else sent to the user (such as this 
comment :)
Comment 7 User image Myk Melez [:myk] [@mykmelez] 2001-05-10 15:54:56 PDT
Created attachment 33967 [details] [diff] [review]
uses html_quote and displays address
Comment 8 User image Jacob Steenhagen 2001-05-10 17:42:27 PDT
OK, looks good to me.

r=jake
Comment 9 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2001-05-11 11:04:51 PDT
r= justdave

Checked in.
Comment 10 User image Dave Miller [:justdave] (justdave@bugzilla.org) 2001-09-02 23:44:07 PDT
Moving to Bugzilla product

Note You need to log in before you can comment on or make changes to this bug.