Closed
Bug 725528
Opened 12 years ago
Closed 12 years ago
Perform Security Review for DTPT Facebook Tab Phase 2
Categories
(mozilla.org :: Security Assurance: Applications, task)
mozilla.org
Security Assurance: Applications
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: ckoehler, Assigned: rforbes)
References
Details
NOTE: Nobox still needs to merge the new tab code into Github. Testing should not begin until that has been done and stage has been updated. 1. A quick intro to what this app does. This is the second iteration of a Facebook application tab for the DTPT campaign. It should be tested within Facebook. Description of what the tab does: https://wiki.mozilla.org/Websites/De_Todos_Para_Todos#Facebook_Tab_Phase_II_mechanics 2. Where is the source code located? https://github.com/Nobox/Mozilla-DeTodosParaTodos-Site/tree/master/tab 3. Is there a stage server running that we can also test against? If so, please indicate what machine the web server is running on. Prod URL: http://detodosparatodos.org/tab/ Dev URL: http://detodosparatodos-dev.allizom.org/tab/ Stage URL: http://detodosparatodos.allizom.org/tab/ (Credentials for Dev and Stage on intranet and in bug 701575) Facebook environment: http://noboxapps.com/mozilla/dtpt_p2/?lang=es 4. Where would you like the bugs filed in bugzilla? Please specify the product, component and if anyone specific should be copied on the bugs. Product / Component: Websites :: detodosparatodos.org CC: ckoehler@mozilla.com, david@nobox.com Quick link: http://bit.ly/wzAgMg 5. Will this application be collecting any personally identifiable information from users (email address, physical address, phone number, etc)? No. It does keep a count of how many people add the application to Facebook. 6. Please describe if this app will be connecting to any internal or external services or if it is able to interact with the OS. The app is meant to be part of the Firefox Facebook page. It does not connect to any other servces besides FB. 7. Does this app support logins or multiple roles? If so, we'll need test accounts created for each available role. It supports logins through Facebook (you have to be logged in to Facebook in order to use it). Multiple roles are not supported. 8. What is the worst case scenario that could happen with this system, data or connected systems? (This is used to help understand the criticality of this server.) If this code were compromised, it could potentionally collect infromation from a user's Facebook profile and post to their Wall. 9. Does this website contain an administration page? If so, have the admin page blockers (listed here) all been addressed? No. 10. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review? As soon as you are able to test.
Reporter | ||
Comment 1•12 years ago
|
||
We've rolled back the new FB tab code temporarily in order to release a hotfix. We should be done with this by the end of today. I'll update this ticket when the app tab is available again for testing on dev and stage.
We have placed the Tab back on the Github. https://github.com/Nobox/Mozilla-DeTodosParaTodos-Site/commit/bcbe48eefacb112445036d12fd710aaf24db1bd0
Reporter | ||
Comment 3•12 years ago
|
||
I included the wrong link to the app within Facebook, here is the correct one: http://www.facebook.com/NoboxApps?sk=app_135738119881176
Reporter | ||
Comment 4•12 years ago
|
||
Correction, this is the version of the tab that's hosted on our servers: https://www.facebook.com/NoboxApps?sk=app_388204674540127 You'll be prompted for a username and password. These credentials are the same as the ones for the dev and stage site and you can find them on the intranet or mana and in bug 701575.
Reporter | ||
Comment 5•12 years ago
|
||
Any update on when this is scheduled to happen? QA review has completed.
Assignee | ||
Comment 6•12 years ago
|
||
:ckoehler i went through the code and I have only one concern so far. The php line that loads the language does no checking to validate the php is a valid language file. As it stands, this isn't a huge deal as the app supports one language and that language is hard coded into the app. What is the thought when you want to add more languages?
Reporter | ||
Comment 7•12 years ago
|
||
(In reply to Raymond Forbes[:rforbes] from comment #6) > :ckoehler i went through the code and I have only one concern so far. The > php line that loads the language does no checking to validate the php is a > valid language file. As it stands, this isn't a huge deal as the app > supports one language and that language is hard coded into the app. What is > the thought when you want to add more languages? Good question; This campaign is specifically targeted for the Latin American market, so I think it's very unlikely that additional languages will be added.
Assignee | ||
Comment 8•12 years ago
|
||
do you not see a need for both Spanish and Portuguese?
Assignee: infrasec → rforbes
Reporter | ||
Comment 9•12 years ago
|
||
(In reply to Raymond Forbes[:rforbes] from comment #8) > do you not see a need for both Spanish and Portuguese? The app does support pt-br and es-ar (that's what the 'Argentina' and 'Brasil' links are in the upper-right corner).
Comment 10•12 years ago
|
||
Hi everyone. This tab is only intended to be in Spanish and Portuguese since this is a LATAM-specific effort. Let us know if you have any questions. Would love to go Live with this Monday. We have a media campaign pending going live with this tab that would be great to launch soon.
Assignee | ||
Comment 11•12 years ago
|
||
you look good. go ahead and launch this.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Keywords: sec-review-needed
Assignee | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
Keywords: sec-review-needed
Whiteboard: [pending secreview]
You need to log in
before you can comment on or make changes to this bug.
Description
•