Closed
Bug 45784
Opened 24 years ago
Closed 24 years ago
Bugzilla truncates URLs containing double quotes
Categories
(Bugzilla :: Bugzilla-General, defect, P3)
Bugzilla
Bugzilla-General
Tracking
()
VERIFIED
FIXED
Bugzilla 2.12
People
(Reporter: sfraser_bugs, Assigned: jacob)
References
()
Details
(Whiteboard: 2.12)
Attachments
(2 files)
826 bytes,
patch
|
Details | Diff | Splinter Review | |
925 bytes,
patch
|
Details | Diff | Splinter Review |
Bugzilla truncates URLs containing double quotes. In the ULR field, I typed:
javascript:prompt("Hello");
Updated•24 years ago
|
Comment 2•24 years ago
|
||
I can set a url containing the double-quote character when I create the bug or
later, and e-mails show that the field is updated correctly. When I visit the
bug, however, I don't see the " or anything after it, and when I submit
additional changes to the bug, the value actually gets truncated.
What's happening is that show_bug.cgi isn't escaping quotes in the url when it
puts the url as the value for the "url" textbox. It also doesn't escape quotes
for the href of the "url" link next to the textbox.
This is a security hole that allows me to make you run a script that seems to
come from bugzilla.mozilla.org (I've set up a demonstration at an old "test
bug", bug bug 31322). It's not that much easier to exploit than bug 38862,
which requires me to get you to click on an attachment and which doesn't seem
likely to be fixed soon, but I still think this bug should be fixed for 2.12.
Whiteboard: 2.12
Assignee | ||
Updated•24 years ago
|
Assignee | ||
Comment 3•24 years ago
|
||
Assignee | ||
Comment 4•24 years ago
|
||
The attached patch adds value_quote() to the part of the code that puts the URL
in the text box. It also performs a $URL =~ s/"/\%22/g; to the URL that gets
linked for the label.
Assignee | ||
Comment 5•24 years ago
|
||
Assignee | ||
Comment 6•24 years ago
|
||
In talking on IRC it became apparent that value_quote() would also work for the
$URL. This updated patch includes that.
OS: Mac System 8.5 → All
Comment 8•24 years ago
|
||
Assignee | ||
Updated•24 years ago
|
Status: NEW → ASSIGNED
Comment 9•24 years ago
|
||
checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Comment 10•24 years ago
|
||
Sorry for the spam, but I needed to be able to query for all of these correctly.
Target Milestone: --- → Bugzilla 2.12
Updated•24 years ago
|
Status: RESOLVED → VERIFIED
Comment 11•24 years ago
|
||
VERIFIED.
Gerv
Updated•24 years ago
|
Comment 12•23 years ago
|
||
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•