Closed Bug 537030 Opened 10 years ago Closed 10 years ago

src param not trickling down EULA

Categories

(addons.mozilla.org Graveyard :: Public Pages, defect, P2)

defect

Tracking

(Not tracked)

VERIFIED FIXED

People

(Reporter: fligtar, Assigned: rdoherty)

References

()

Details

(Keywords: regression)

Attachments

(1 file, 1 obsolete file)

The src param should trickle to the install button on the EULA page.

https://addons.mozilla.org/en-US/firefox/addons/policy/0/52659/71526?src=recommended
Keywords: regression
Can we please fix this for 5.5?
Assignee: nobody → rdoherty
Attached patch v1 (obsolete) — Splinter Review
Attachment #419976 - Flags: review?(clouserw)
Comment on attachment 419976 [details] [diff] [review]
v1

>-      if (array_key_exists('src', $_GET) && in_array($_GET['src'], array('addondetail'))) {
>+      if (array_key_exists('src', $_GET)) {

The in_array() keeps it from becoming an injection hole.  However, I think you've found the easy 1-line fix spot.  We just need to expand what in_array() is checking.
Attachment #419976 - Flags: review?(clouserw) → review-
Attached patch v2Splinter Review
Attachment #419976 - Attachment is obsolete: true
Attachment #419989 - Flags: review?(clouserw)
(In reply to comment #4)
> Created an attachment (id=419989) [details]
> v2

Added urlencode to appendParametersToUrl(). I don't think a whitelist will work for us b/c people can always add a src that will start with 'external-'.
Comment on attachment 419989 [details] [diff] [review]
v2

I think that'll work, thanks
Attachment #419989 - Flags: review?(clouserw) → review+
r58928
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Is testing on https://preview.addons.mozilla.org/en-US/firefox/addons/policy/0/11730/53612?src=developers enough, or should I test all the various src=parameters?
(In reply to comment #8)
> Is testing on
> https://preview.addons.mozilla.org/en-US/firefox/addons/policy/0/11730/53612?src=developers
> enough, or should I test all the various src=parameters?

Any src should work, there's no validation, just escaping of the entered src.
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.