dm-sheriff DOS Date parsing error

RESOLVED WONTFIX

Status

Webtools Graveyard
Sheriff Calendar
--
critical
RESOLVED WONTFIX
8 years ago
a year ago

People

(Reporter: dchan, Unassigned)

Tracking

Details

(Whiteboard: [infrasec:input], URL)

(Reporter)

Description

8 years ago
The dm-sheriff site crashes when invalid date values are passed in the URL. An ArgumentError is thrown and a RoR error page displayed.

STR
1. Visit https://dm-sheriff01.mozilla.org/?today="&from="&to="
2. You will get an error page

Code
http://github.com/kourge/sheriff/blob/master/app.rb#L23

Date.parse() is called on user supplied data in lines 23/24 . The resulting exception is not caught resulting in application crash.


Suggested fix
Catch the ArgumentError exception and log that malicious input was encountered
(Reporter)

Updated

8 years ago
Blocks: 584113
(Reporter)

Comment 1

8 years ago
The server appears to go down while testing and comes back up eventually. During this time, my session is invalid and I can't log back in.

Does the application automatically restart after a given amount of time?
(Reporter)

Comment 2

8 years ago
The application appears to have crashed after inputting a negative value on the preferences page for
'Email me about my upcoming sheriff duties X days in advance'

Updated

6 years ago
Group: websites-security
Component: Webdev → Sheriff
Product: mozilla.org → Webtools
(Assignee)

Updated

4 years ago
Component: Sheriff → Sheriff Calendar
Product: Webtools → Webtools Graveyard

Updated

a year ago
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.