781165 - Persistent XSS in bugzilla.mozilla.org

Status: RESOLVED INVALID

(bugzilla.mozilla.org :: General, defect)

Description

[plitvix]

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1
Build ID: 20120713134347

Steps to reproduce:

Created a new bug, added 
data:text/html;base64whdfghdfgh,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+
as URL.


Actual results:

As user clicks on that link, javascript code that is encoded in base64 will get executed.
I know it is a long shot, but beter safe than sorry.


Expected results:

check if url begins with http:// or https:// and prevent data: urls.

Comment 2

[Boris Zbarsky [:bzbarsky]]

When I click that link in the url field, I get an alert saying the URL is unsafe and could potentially be harmful and asking me whether I really want to open it, precisely because it would run the JS if followed.  Are you not getting that alert?

Comment 3

[Reed Loden [:reed]]

Indeed, I don't see any problem. This seems to be working as expected...

Comment 4

[David Lawrence [:dkl]]

A warning is thrown for any unsafe or unrecognized values entered in the URL field before the value is used. So I don't see as this being a concern as the user is properly warned.

dkl

Comment 5

[plitvix]

Sorry for this, I should have checked that proper URLs don't need confirmations.
But why keeping this, and not filtering it like Bug URLS (cant submit if no http or https)?

Comment 6

[Reed Loden [:reed]]

(In reply to plitvix from comment #5)
> Sorry for this, I should have checked that proper URLs don't need
> confirmations.
> But why keeping this, and not filtering it like Bug URLS (cant submit if no
> http or https)?

Because it's useful for Mozilla developers who deal with data: and javascript: URLs. By default, Bugzilla will not allow such URLs. This is a bugzilla.mozilla.org-only customization, as requested by our developers.