Need to better-validate user input on homepage field

VERIFIED FIXED in 5.11.9

Status

addons.mozilla.org Graveyard
Public Pages
VERIFIED FIXED
8 years ago
2 years ago

People

(Reporter: stephend, Assigned: Barry Chen)

Tracking

Details

(Whiteboard: [infrasec-qa:input], URL)

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
(While we do wrap the following in outgoing.* URLs, we still shouldn't permit this.)

When I enter 

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

into the homepage field on https://preview.addons.mozilla.org/z/en-US/firefox/users/edit#user-profile and click Update, it gets accepted.

I can then see it on https://preview.addons.mozilla.org/z/en-US/firefox/user/235535/ 

On prod, trying to do that, I get "This URL has an invalid format. Valid URLs look like http://example.com/my_page."
(Reporter)

Comment 1

8 years ago
Created attachment 467887 [details]
Screenshot of the ensuing hotness!
Target Milestone: 5.11.8 → 5.11.9
Look into the django clean_* methods.  The regex we used to validate on remora was /^https?:\/\/([a-z0-9][a-z0-9-]*\.)+([a-z]+)(:[0-9]+)?(\/|$)/i

Same warning as before.  This model is hoppin' - rebase often.
Assignee: nobody → chenba
(Assignee)

Comment 4

8 years ago
Homepage validation with regex: http://github.com/chenba/zamboni/commit/1f1ff3e67aa6450c69d11acc3ce94442a774b430

The occupation field is mentioned in the bug title, but there aren't any comments on what's acceptable.  Plz advise.
I'm not worried about occupation
Summary: Need to better-validate user input on homepage and occupation fields → Need to better-validate user input on homepage field
(Assignee)

Comment 6

8 years ago
a) @clouserw: I don't think isValidURL() is in django anymore, at least I couldn't find it.

b) jbalogh's suggestion of using URLValidator kind of answered my unasked question of "why wasn't homepage a URLField?"  It is now: http://github.com/chenba/zamboni/commit/6d240cd8cc526119d6068e6400f744ed6b314b4b

Updated

8 years ago
Target Milestone: 5.11.9 → 5.12
thanks barry

http://github.com/jbalogh/zamboni/commit/aae8369c9010f161fb44d9577070f3bf89e7b1fa
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Target Milestone: 5.12 → 5.11.9
(Reporter)

Comment 8

8 years ago
Verified FIXED; I'm now getting the following error message:

"This URL has an invalid format. Valid URLs look like http://example.com/my_page."
Status: RESOLVED → VERIFIED

Updated

8 years ago
Duplicate of this bug: 582091
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.