Closed Bug 615789 Opened 15 years ago Closed 14 years ago

Output not sanitized in JSON->HTML display

Categories

(Webtools Graveyard :: BzAPI, defect)

Product:
Webtools Graveyard
Component:
BzAPI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: heycam, Assigned: gerv)

Details

(Whiteboard: [infrasec:xss][ws:moderate])

If viewing the HTMLified JSON output from a BzAPI URL, it doesn't escape any markup that might be in a field. For example I put "<script>alert('hi')</script>" in the Whiteboard of this bug https://landfill.bugzilla.org/bzapi_sandbox/show_bug.cgi?id=9947 and then when viewing https://api-dev.bugzilla.mozilla.org/test/latest/bug/9947 you get the alert.
This is a bug in Catalyst::Action::REST's YAML::HTML serializer. https://rt.cpan.org/Public/Bug/Display.html?id=63537 api-dev.bugzilla.mozilla.org does not set cookies AFAIK, and it does not have access to bugzilla.mozilla.org cookies (which are limited to that exact domain) so there is no risk of XSS cookie stealing. However, I know other attacks are possible with XSS, so I am hoping they will fix this quickly. Gerv
Whiteboard: [infrasec:xss][ws:moderate]
Gerv: looking at your patch in the bug report for Catalyst, is it necessary for us to wait on them to implement it, or can we patch it on our deployment?
Sure we can. I've now patched this on the server. (I have very little hope of it getting fixed upstream.) Gerv
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
Product: Webtools → Webtools Graveyard
You need to log in before you can comment on or make changes to this bug.