User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:220.127.116.11) Gecko/20100401 Firefox/3.6.3
This is intentional, see bug 454134.
Wow intentional XSS, I actually haven't heard that one before.
Actually, it's broken. But only in Safari/Chrome/IE like he says. If you're in Firefox you get an alert box warning you that it could be malicious and click OK to execute anyway or Cancel. I don't get the alert box in Safari, it just does it.
The alert box in question is generated like this:
+ ' which can possibly be harmful. The full URL is:\n\n'
Apparently something is causing the other browsers to ignore the onclick?
@Dave Miller that is a really strange way of trying to address this problem.
Oops, it's worse than that. It's not what browser you're using, it's whether you're logged in or not. The not-logged-in version of the page doesn't have the onclick code. Yikes.
(In reply to comment #8)
> @Dave Miller that is a really strange way of trying to address this problem.
Yes, it is, and Bugzilla upstream doesn't allow those to be clicked at all. But because this site is used to track bugs in Firefox and Firefox has to be able to properly deal with those types of URLs, the developers need to be able to override it and use them anyway. The best compromise was to put up a warning (it's a local customization on this site).
@Dave Miller Interesting, I can see that. Nice catch on the not-logged-in condition.
And this is why our customization didn't catch it. Upstream doesn't either. This is an upstream bug after all.
Make sure you're not logged in on landfill when you view the above link.
Bug 619588 already modifies this code, so we'll need to patch on top of that.
Created attachment 506145 [details] [diff] [review]
patch - v1
I think this should work. Going to test it now.
(In reply to comment #14)
> I think this should work. Going to test it now.
Works fine from my testing. Ready for review.
(In reply to comment #13)
> Bug 619588 already modifies this code, so we'll need to patch on top of that.
It's IMO a dupe of that bug, and patches should be merged together.
(In reply to comment #16)
> (In reply to comment #13)
> > Bug 619588 already modifies this code, so we'll need to patch on top of that.
> It's IMO a dupe of that bug, and patches should be merged together.
They aren't the same issue. Bug 619588 deals with spaces evading the safeguards. This bug deals with the safeguards not being used at all on not-logged-in pages. While they affect the same code area, the issues themselves are very different.
Comment on attachment 506145 [details] [diff] [review]
patch - v1
This bug will be fixed by bug 619588.
I know this probably doesn't matter to you but Google paid me $500 for an identical xss vector.
Just out of curiosity do you know how many times one of my Mozilla bug reports has been mapped some crusty old bug id?
(In reply to comment #21)
> Frédéric Buclin:
> Just out of curiosity do you know how many times one of my Mozilla bug reports
> has been mapped some crusty old bug id?
Bug 619588 has nothing to do with this bug. It just happens to be a security issue affecting similar code to this bug, so it was decided to just combine the fix for this issue into that patch.
Note that Max and Frédéric are just Bugzilla developers and have nothing to do with Mozilla's Security Bug Bounty program (Bugzilla is just one project in the larger Mozilla community). If you have specific questions about the bounty program (such as what you asked in comment #21), please e-mail email@example.com.
dveditz, need a CVE for this one.
Thanks for setting me straight. I didn't realize your bug system worked that way. A CVE with my name on it would be awesome: Michael Brooks (Sitewatch)
I'm sorry I misunderstood the system. I realize now that you are just doing your job.
(In reply to comment #24)
> Thanks for setting me straight. I didn't realize your bug system worked that
Unlike Google, we give you a direct line to the developers fixing the issue, so you can interact and see current progress. As such, the bugs you file are the same ones the app developers are using to fix the issue, so not all discussions might directly relate to you specifically. If you ever have a question about this process or a concern about anything you're not sure about, feel free to shoot it to firstname.lastname@example.org, and we will do our best to answer you. :)
> A CVE with my name on it would be awesome: Michael Brooks (Sitewatch)
CVEs don't include names (just problem descriptions), but the security advisory to be released that contains this issue will include your name in the credits.
Call this CVE-2011-0048
Bug 619588 committed on all branches 3.2 and higher.
Security advisory sent. Removing the security flag.
VERIFIED that unsafe dialog appears for a user that isn't logged in
(In reply to comment #30)
> VERIFIED that unsafe dialog appears for a user that isn't logged in
err, the URI isn't linked for not-logged-in users, which fixes the problem.