Last Comment Bug 790215 - Flag names are not properly escaped when displayed on confirm user match page
: Flag names are not properly escaped when displayed on confirm user match page
Status: RESOLVED FIXED
: sec-low, wsec-xss
Product: Bugzilla
Classification: Server Software
Component: Attachments & Requests (show other bugs)
: 4.2.3
: All All
: -- normal (vote)
: Bugzilla 3.6
Assigned To: Reed Loden [:reed] (use needinfo?)
: default-qa
Mentors:
Depends on:
Blocks: 835424
  Show dependency treegraph
 
Reported: 2012-09-11 06:24 PDT by Mateusz Goik
Modified: 2013-01-28 10:07 PST (History)
3 users (show)
LpSolit: approval+
LpSolit: approval4.4+
LpSolit: approval4.2+
LpSolit: approval4.0+
LpSolit: approval3.6+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch - v1 (untested) (959 bytes, patch)
2012-09-11 07:40 PDT, Reed Loden [:reed] (use needinfo?)
LpSolit: review+
Details | Diff | Review

Description Mateusz Goik 2012-09-11 06:24:33 PDT
PoC:

1.http://localhost/cgi-bin/bug/editflagtypes.cgi

2.
Create Flag Type for Bugs ->

Name: <script>alert(1);</script>
Description: test

Click Create

3. example: http://localhost/cgi-bin/bug/show_bug.cgi?id=6

Flags: 	<script>alert(1);</script>: mail@examplemail.example

Click "Save Changes"

4.

 <tr>
      <td align="left" valign="top"><script>alert(1);</script> requestee:
      </td>
      <td align="left" valign="top">
            <div class="user_match">
              <b>mail&#64;examplemail.example</b>
                  <font color="#FF0000">did not match anything</font>
            </div>
      </td>
    </tr>
Comment 1 Reed Loden [:reed] (use needinfo?) 2012-09-11 07:40:11 PDT
Created attachment 660071 [details] [diff] [review]
patch - v1 (untested)

Maybe something like this? Not exactly sure why this particular thing was getting exempted from the filter...

This code has been around since bug 172518.
Comment 2 Frédéric Buclin 2012-09-11 11:31:42 PDT
Comment on attachment 660071 [details] [diff] [review]
patch - v1 (untested)

There is indeed no reason to make an exception for flag names, even if they are controlled by users with editcomponents privs only. As only power users can edit flag types, this bug is fortunately not critical. r=LpSolit
Comment 3 Frédéric Buclin 2012-09-11 11:33:27 PDT
Approved for all supported branches (I checked that 3.6 was affected too). As flag types are controlled by power users only, there is no need for a security advisory. Simply remove the security flag once the patch is checked in.
Comment 4 Reed Loden [:reed] (use needinfo?) 2012-09-11 12:19:05 PDT
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 8388.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.4/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 8386.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 8137.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 7724.

Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/
modified template/en/default/filterexceptions.pl
modified template/en/default/global/confirm-user-match.html.tmpl
Committed revision 7300.
Comment 6 Al Billings [:abillings] 2012-09-24 15:25:43 PDT
This is a sec-low rated bug so it does not qualify for a bounty.

Note You need to log in before you can comment on or make changes to this bug.