778244 - [sec review] wordpress plugin to set admin language different from blog language

Status: VERIFIED FIXED

(mozilla.org :: Security Assurance: Review Request, task)

Description

[Craig Cook (:craigcook)]

1. Who is/are the point of contact(s) for this review?

Myself


2. Please provide a short description of the feature / application (e.g. problem solved, use cases, etc.):

We have a few blogs in non-English languages that need to be administrated by English speakers (currently blog.mozilla.org/laguaridadefirefox with more to come). To properly localize a blog we need to specify the language in a configuration file, which sets the language for the entire blog, both front-end and back-end. We also have English blogs whose authors may prefer to read the admin panel in their native language even if they're blogging in English. This plugin allows a blog's front-end to be a different language from its back-end, and lets the individual user select her/his preferred admin language.


3. Please provide links to additional information (e.g. feature page, wiki) if available and not yet included in feature description:

The only available documentation is at http://wordpress.org/extend/plugins/kau-boys-backend-localization/ or http://kau-boys.de/230/wordpress/kau-boys-backend-localization-plugin in German. You can browse the code repository at http://plugins.trac.wordpress.org/browser/kau-boys-backend-localization including revision history, if that's at all helpful. 

The plugin hasn't been updated in some time, but that may just mean it hasn't needed it. It works with current versions of WP in my own local testing and it's not much code (a single PHP file less than 300 lines).


4. Does this request block another bug? If so, please indicate the bug number
   
Blocks bug 772418 - Portuguese version of The Den
 

5. This review will be scheduled amongst other requested reviews. What is the urgency or needed completion date of this review?

We need to get the Portuguese Den online by the end of Q3. To allow some lead time it would be great to get this plugin reviewed by the end of August.


6. To help prioritize this work request, does this project support a goal specifically listed on this quarter's goal list? If so, which goal?

We're releasing Firefox OS in Brazil at the end of Q3 (or is it early Q4?) so Brazil is a priority locale. The pt-BR Den is part of the engagement strategy for that launch.


7. Please answer the following few questions: (Note: If you are asked to describe anything, 1-2 sentences shall suffice.)

> Does this feature or code change affect Firefox, Thunderbird or any product or service the Mozilla ships to end users?
 
No.
   
> Are there any portions of the project that interact with 3rd party services?
 
No.

> Will your application/service collect user data? If so, please describe 

No.

Comment 1

[Matt Fuller :mfuller]

Time to break out my (non existent) German :) I'll take this and have it for you shortly.

Thanks,
Matt Fuller

Comment 2

[Matt Fuller :mfuller]

I've finished the review of this plugin; only one issue was found: an XSS vulnerability which I am creating a blocking bug for.

The way the plugin uses the URL variable to set the language (such as en-US) allows an XSS by using an XSS payload. The selected language is included in a comment on every admin page, meaning it is saved and reflected. This will have to be fixed; either our devs can do it, or we can contact the plugin author to do so before we install.

Thanks,
Matt

Comment 3

[Matt Fuller :mfuller]

I'm attaching my review notes. Once the blocking bug is fixed, feel free to proceed with installation.

Thanks,
Matt

Comment 4

[Matt Fuller :mfuller]

Attachment: Security Review Report

Comment 5

[Craig Cook (:craigcook)]

Wow, thanks for the speedy turnaround! I would have been happy if you got to it some time next week. I'm glad the issues were minor, and I was hoping as much given how simple the plugin is. If we don't hear from the author in the next week or so we'll just fix it ourselves.

Comment 6

[Matt Fuller :mfuller]

No problem!

So I've tried to find contact info for the dev, and unfortunately, I cannot find any contact info for them besides a Twitter account and Facebook page. I think it'd be quickest if we just fix this issue before installation ourselves. Do you know who would be installing this? I can work with them to point out the exact location of the issue.

Thanks,
Matt

Comment 7

[Craig Cook (:craigcook)]

(In reply to Matt Fuller :mfuller from comment #6)

> So I've tried to find contact info for the dev, and unfortunately, I cannot
> find any contact info for them besides a Twitter account and Facebook page.

I found his contact page at http://kau-boys.de/impressum including an e-mail address, bernhardkau [at] kau-boys.de

I'll let you contact him since you're the expert and can explain the issue better. If he doesn't respond I can edit the code (and I'll file a separate bug for IT to push it to production). In that event I'd probably want to make our own fork with a different namespace, just to prevent possible conflicts down the road.

Comment 8

[Matt Fuller :mfuller]

Thanks, didn't see that - I'll go ahead and email him about this and I'll update this if he replies. If he doesn't, I'll give it a day or two and then we can try editing it ourselves.

Comment 9

[Matt Fuller :mfuller]

Hi Craig,

Just an update on this - the developer replied to the email I sent and released a fix. However, the fix still had a couple issues so I'm working with him to get a full fix and it should be finished in 1-2 days (he literally has to change one word in the code).

I'll update this and resolve the blocking bug as soon as he does.

Thanks!
Matt

Comment 10

[Matt Fuller :mfuller]

Hi - the plugin has been updated (see 2.0.2 at http://wordpress.org/extend/plugins/kau-boys-backend-localization/changelog/)

We should be good to go now :)

Thanks!
Matt