Closed
Bug 781165
Opened 12 years ago
Closed 12 years ago
Persistent XSS in bugzilla.mozilla.org
Categories
(bugzilla.mozilla.org :: General, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: plitvix, Unassigned)
References
()
Details
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:14.0) Gecko/20100101 Firefox/14.0.1 Build ID: 20120713134347 Steps to reproduce: Created a new bug, added data:text/html;base64whdfghdfgh,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+ as URL. Actual results: As user clicks on that link, javascript code that is encoded in base64 will get executed. I know it is a long shot, but beter safe than sorry. Expected results: check if url begins with http:// or https:// and prevent data: urls.
Comment 2•12 years ago
|
||
When I click that link in the url field, I get an alert saying the URL is unsafe and could potentially be harmful and asking me whether I really want to open it, precisely because it would run the JS if followed. Are you not getting that alert?
Comment 3•12 years ago
|
||
Indeed, I don't see any problem. This seems to be working as expected...
Group: core-security → bugzilla-security
Component: Security → General
Product: Core → bugzilla.mozilla.org
Version: unspecified → Production
Comment 4•12 years ago
|
||
A warning is thrown for any unsafe or unrecognized values entered in the URL field before the value is used. So I don't see as this being a concern as the user is properly warned. dkl
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Updated•12 years ago
|
Group: bugzilla-security
Sorry for this, I should have checked that proper URLs don't need confirmations. But why keeping this, and not filtering it like Bug URLS (cant submit if no http or https)?
Comment 6•12 years ago
|
||
(In reply to plitvix from comment #5) > Sorry for this, I should have checked that proper URLs don't need > confirmations. > But why keeping this, and not filtering it like Bug URLS (cant submit if no > http or https)? Because it's useful for Mozilla developers who deal with data: and javascript: URLs. By default, Bugzilla will not allow such URLs. This is a bugzilla.mozilla.org-only customization, as requested by our developers.
You need to log in
before you can comment on or make changes to this bug.
Description
•