Closed Bug 477477 Opened 13 years ago Closed 13 years ago
XSS vulnerability with pushloghtml's 'startdate' and 'enddate' params
mozilla-central's query form has XSS vuluneravility. Parameter enddate value is not HTML escaped. http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=48+hours+ago&enddate=now%22%20onmouseover=%22alert%28location.href%29
Summary: Mozilla central XSS vulneravility → Mozilla central XSS vulnerability
Group: mozilla-confidential → webtools-security
Summary: Mozilla central XSS vulnerability → XSS vulnerability with pushloghtml's 'enddate' param
startdate parameter has same problem. http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=48+hours+ago%22%20onmouseover=%22alert(location.href)
Escape the 'startdate' and 'enddate' values.
Assignee: nobody → reed
Status: NEW → ASSIGNED
Attachment #361147 - Flags: review?
Summary: XSS vulnerability with pushloghtml's 'enddate' param → XSS vulnerability with pushloghtml's 'startdate' and 'enddate' params
Comment on attachment 361147 [details] [diff] [review] patch - v1 (untested) ted or djc, please review?
Attachment #361147 - Flags: review?(dirkjan) → review+
http://hg.mozilla.org/hg_templates/rev/244027b2b6dd Pushing live now.
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
The example URLs now return 500 ISEs for the bad URLs, but normal stuff still seems to work. Is that expected?
Oh, looks like we need to import escape from mercurial.templatefilters.
Comment on attachment 361228 [details] [diff] [review] craziness setting in at a young age n/m, ignore me.
So have the 500 ISE's been fixed now? What was the problem with that?
Attachment #361228 - Attachment description: Import 'escape' from mercurial.templatefilters - v1 → craziness setting in at a young age
I found some trivial problem on 500IES's message. (root@localhost should be correct server operator's mail address) I filed it as bug 477563.
mod_wsgi (pid=12696): Exception occurred processing WSGI script '/repo/hg/webroot_wsgi/hgwebdir.wsgi'. Traceback (most recent call last): File "/usr/lib/python2.4/site-packages/mercurial/hgweb/request.py", line 100, in run_wsgi return application(env, respond) File "/usr/lib/python2.4/site-packages/mercurial/hgweb/hgwebdir_mod.py", line 74, in __call__ self.run_wsgi(req) File "/usr/lib/python2.4/site-packages/mercurial/hgweb/hgwebdir_mod.py", line 121, in run_wsgi hgweb(repo).run_wsgi(req) File "/usr/lib/python2.4/site-packages/mercurial/hgweb/hgweb_mod.py", line 255, in run_wsgi req.write(content) File "/usr/lib/python2.4/site-packages/mercurial/hgweb/request.py", line 59, in write for part in thing: File "/usr/lib/python2.4/site-packages/mercurial/templater.py", line 126, in __call__ v = self.filters[f](v) File "/usr/lib/python2.4/site-packages/mercurial/templatefilters.py", line 132, in <lambda> "escape": lambda x: cgi.escape(x, True), File "/usr/lib/python2.4/cgi.py", line 1039, in escape s = s.replace("&", "&") # Must be done first! AttributeError: 'list' object has no attribute 'replace'
(In reply to comment #9) > So have the 500 ISE's been fixed now? What was the problem with that? See comment #11. Any help would be appreciated! :)
This should do the job: diff --git a/pushlog-feed.py b/pushlog-feed.py --- a/pushlog-feed.py +++ b/pushlog-feed.py @@ -402,8 +402,8 @@ rev=0, entries=lambda **x: changelist(limit=0,**x), latestentry=lambda **x: changelist(limit=1,**x), - startdate='startdate' in req.form and req.form['startdate'] or '1 week ago', - enddate='enddate' in req.form and req.form['enddate'] or 'now', + startdate='startdate' in req.form and req.form['startdate'] or '1 week ago', + enddate='enddate' in req.form and req.form['enddate'] or 'now', querydescription=query.description(), archives=web.archivelist("tip"))
That does indeed work. Here's the patch and my r= for it successfully working. I'll push this to the repo shortly.
Attachment #361231 - Flags: review+
I tested testcase in comment #0 and comment #1, and both of them are correctly HTML escaped. --> VERIFIED.
Status: RESOLVED → VERIFIED
I think 'critical' is a little overstated. hg.mozilla.org has no cookies and is read-only. AFAICT, there was no actual risk here.
Changed importance from critical to major, baucase of comment #17.
Severity: critical → major
Adding keywords to bugs for metrics, no action required. Sorry about bugmail spam.
Product: mozilla.org → Release Engineering
Product: Release Engineering → Developer Services
You need to log in before you can comment on or make changes to this bug.