Closed
Bug 580421
Opened 14 years ago
Closed 14 years ago
Invalid Locale Codes Should Result in Error Page
Categories
(Websites :: plugins.mozilla.org, defect)
Websites
plugins.mozilla.org
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: mcoates, Unassigned)
References
()
Details
(Whiteboard: [infrasec:input])
Issue The plugin URL contains a locale code such as 'en-us' as seen in the following example: https://plugins.mozilla.org/en-us/plugins/detail/gnome-totem An attacker can modify this value to arbitrary text and the plugins web application will still render the requested page as normal. An attacker could use a convincing message in order to entice users to install particular software. Example: https://plugins.mozilla.org/ApprovedByMozilla/plugins/detail/gnome-totem Recommended Remediation Check if the locale code is a valid value and redirect to an error page if any other values are received.
|
||
Comment 1•14 years ago
|
||
r71440 should address this on staging shortly
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 2•14 years ago
|
||
Verified FIXED: https://plugins.stage.mozilla.com/0/plugins/detail/gnome-totem redirects to: https://plugins.stage.mozilla.com/en-us
Status: RESOLVED → VERIFIED
|
||
Updated•12 years ago
|
Group: websites-security
You need to log in
before you can comment on or make changes to this bug.
Description
•