Traceback adding second reply to a review

VERIFIED FIXED in 5.11.7

Status

addons.mozilla.org Graveyard
Public Pages
VERIFIED FIXED
8 years ago
2 years ago

People

(Reporter: stephend, Assigned: jbalogh)

Tracking

unspecified
5.11.7

Details

(URL)

(Reporter)

Description

8 years ago
Don't think this is a security problem, but flagging it as such, just in case.

I added </script><script>alert("Hi!");</script> to the body of https://preview.addons.mozilla.org/z/en-US/firefox/addon/1865/reviews/211373/reply, and got an Oopsie!
(Reporter)

Updated

8 years ago
Blocks: 557879
Traceback (most recent call last):

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/core/handlers/base.py", line 100, in get_response
   response = callback(request, *callback_args, **callback_kwargs)

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/contrib/auth/decorators.py", line 25, in _wrapped_view
   return view_func(request, *args, **kwargs)

 File "/data/amo_python/www/preview/zamboni/apps/reviews/views.py", line 132, in reply
   **_review_details(request, addon, form))

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/db/models/manager.py", line 138, in create
   return self.get_query_set().create(**kwargs)

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/db/models/query.py", line 352, in create
   obj.save(force_insert=True, using=self.db)

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/db/models/base.py", line 435, in save
   self.save_base(using=using, force_insert=force_insert, force_update=force_update)

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/db/models/base.py", line 528, in save_base
   result = manager._insert(values, return_id=update_pk, using=using)

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/db/models/manager.py", line 195, in _insert
   return insert_query(self.model, values, **kwargs)

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/db/models/query.py", line 1479, in insert_query
   return query.get_compiler(using=using).execute_sql(return_id)

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/db/models/sql/compiler.py", line 783, in execute_sql
   cursor = super(SQLInsertCompiler, self).execute_sql(None)

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/db/models/sql/compiler.py", line 727, in execute_sql
   cursor.execute(sql, params)

 File "/data/amo_python/www/preview/zamboni/vendor/src/django/django/db/backends/mysql/base.py", line 86, in execute
   return self.cursor.execute(query, args)

 File "/usr/lib/python2.6/site-packages/MySQLdb/cursors.py", line 173, in execute
   self.errorhandler(self, exc, value)

 File "/usr/lib/python2.6/site-packages/MySQLdb/connections.py", line 36, in defaulterrorhandler
   raise errorclass, errorvalue

IntegrityError: (1062, "Duplicate entry '211373' for key 2")
Group: client-services-security
Target Milestone: --- → 5.11.7
(Assignee)

Updated

8 years ago
Assignee: nobody → jbalogh
Severity: critical → normal
(Assignee)

Updated

8 years ago
Summary: Traceback adding review with XSS attempt → Traceback adding second reply to a review
(Assignee)

Comment 2

8 years ago
Preventing it on the page: http://github.com/jbalogh/zamboni/commit/37346be
Treating it as an edit on the backend: http://github.com/jbalogh/zamboni/commit/335db35
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Reporter)

Comment 3

8 years ago
Verified FIXED on https://preview.addons.mozilla.org/z/en-US/firefox/addon/1865/reviews/211373/.
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.