Closed
Bug 600377
Opened 14 years ago
Closed 7 years ago
dm-sheriff DOS Date parsing error
Categories
(Webtools Graveyard :: Sheriff Calendar, defect)
Webtools Graveyard
Sheriff Calendar
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: dchanm+bugzilla, Unassigned)
References
()
Details
(Whiteboard: [infrasec:input])
The dm-sheriff site crashes when invalid date values are passed in the URL. An ArgumentError is thrown and a RoR error page displayed. STR 1. Visit https://dm-sheriff01.mozilla.org/?today="&from="&to=" 2. You will get an error page Code http://github.com/kourge/sheriff/blob/master/app.rb#L23 Date.parse() is called on user supplied data in lines 23/24 . The resulting exception is not caught resulting in application crash. Suggested fix Catch the ArgumentError exception and log that malicious input was encountered
Reporter | ||
Comment 1•14 years ago
|
||
The server appears to go down while testing and comes back up eventually. During this time, my session is invalid and I can't log back in. Does the application automatically restart after a given amount of time?
Reporter | ||
Comment 2•14 years ago
|
||
The application appears to have crashed after inputting a negative value on the preferences page for 'Email me about my upcoming sheriff duties X days in advance'
Updated•12 years ago
|
Group: websites-security
Component: Webdev → Sheriff
Product: mozilla.org → Webtools
Assignee | ||
Updated•10 years ago
|
Component: Sheriff → Sheriff Calendar
Product: Webtools → Webtools Graveyard
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•