Closed
Bug 45784
Opened 24 years ago
Closed 24 years ago
Bugzilla truncates URLs containing double quotes
Categories
(Bugzilla :: Bugzilla-General, defect, P3)
Bugzilla
Bugzilla-General
Tracking
()
VERIFIED
FIXED
Bugzilla 2.12
People
(Reporter: sfraser_bugs, Assigned: jacob)
References
()
Details
(Whiteboard: 2.12)
Attachments
(2 files)
|
826 bytes,
patch
|
Details | Diff | Splinter Review | |
|
925 bytes,
patch
|
Details | Diff | Splinter Review |
Bugzilla truncates URLs containing double quotes. In the ULR field, I typed:
javascript:prompt("Hello");
|
||
Updated•24 years ago
|
|
|
||
Comment 2•24 years ago
|
||
I can set a url containing the double-quote character when I create the bug or later, and e-mails show that the field is updated correctly. When I visit the bug, however, I don't see the " or anything after it, and when I submit additional changes to the bug, the value actually gets truncated. What's happening is that show_bug.cgi isn't escaping quotes in the url when it puts the url as the value for the "url" textbox. It also doesn't escape quotes for the href of the "url" link next to the textbox. This is a security hole that allows me to make you run a script that seems to come from bugzilla.mozilla.org (I've set up a demonstration at an old "test bug", bug bug 31322). It's not that much easier to exploit than bug 38862, which requires me to get you to click on an attachment and which doesn't seem likely to be fixed soon, but I still think this bug should be fixed for 2.12.
Whiteboard: 2.12
|
Assignee | |
Updated•24 years ago
|
|
|
Assignee | |
Comment 3•24 years ago
|
||
|
|
Assignee | |
Comment 4•24 years ago
|
||
The attached patch adds value_quote() to the part of the code that puts the URL in the text box. It also performs a $URL =~ s/"/\%22/g; to the URL that gets linked for the label.
|
|
Assignee | |
Comment 5•24 years ago
|
||
|
|
Assignee | |
Comment 6•24 years ago
|
||
In talking on IRC it became apparent that value_quote() would also work for the $URL. This updated patch includes that.
OS: Mac System 8.5 → All
|
||
Comment 8•24 years ago
|
||
r= dave@intrec.com
|
|
Assignee | |
Updated•24 years ago
|
Status: NEW → ASSIGNED
|
|
||
Comment 9•24 years ago
|
||
checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
||
Comment 10•24 years ago
|
||
Sorry for the spam, but I needed to be able to query for all of these correctly.
Target Milestone: --- → Bugzilla 2.12
|
||
Updated•24 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 11•24 years ago
|
||
VERIFIED. Gerv
|
|
||
Updated•23 years ago
|
|
|
||
Comment 12•23 years ago
|
||
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
|
||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•