Usernames with Special Characters Cause 500 Errors on Edit Profile

RESOLVED DUPLICATE of bug 593501

Status

addons.mozilla.org
Security
RESOLVED DUPLICATE of bug 593501
7 years ago
6 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [infrasec:input])

This is an input validation issue within the edit & view profile pages of the AMO website. Not sure on the best category.

Issue

A username that contains special characters such as:
mtest"><script>alert(9)</script>

Will cause a 500 error anytime the authenticated user attempts to go to the pages "view profile" or "edit profile". After making this change to the username the user will always get a 500 error when logging in. The user is actually logged in and can get to another URL by force browsing to https://addons.mozilla.org/en-US/firefox/asdf and then clicking on links within the rendered page.

Interestingly, the public page for the user account is viewable to any other user. https://addons.mozilla.org/en-US/firefox/user/5483200/

Steps to reproduce:
1. Create a new account for amo
2. Set the username to be 
mtest"><script>alert(9)</script>
3. The account will be successfully created but any attempts to view or edit the profile will result in a 500 error
4. Request a non-existent page to see that the account is active and logged in
https://addons.mozilla.org/en-US/firefox/asdf 

Recommended Remediation
Either disallow special characters from being entered within the username or appropriately encoded them so that the edit and view profile pages properly handle the data.
Bug 593501 will block you from entering that kind of junk.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 593501
Group: client-services-security
You need to log in before you can comment on or make changes to this bug.