Closed
Bug 790215
Opened 12 years ago
Closed 12 years ago
Flag names are not properly escaped when displayed on confirm user match page
Categories
(Bugzilla :: Attachments & Requests, defect)
Tracking
()
RESOLVED
FIXED
Bugzilla 3.6
People
(Reporter: mateusz.goik, Assigned: reed)
Details
(Keywords: sec-low, wsec-xss)
Attachments
(1 file)
959 bytes,
patch
|
LpSolit
:
review+
|
Details | Diff | Splinter Review |
PoC: 1.http://localhost/cgi-bin/bug/editflagtypes.cgi 2. Create Flag Type for Bugs -> Name: <script>alert(1);</script> Description: test Click Create 3. example: http://localhost/cgi-bin/bug/show_bug.cgi?id=6 Flags: <script>alert(1);</script>: mail@examplemail.example Click "Save Changes" 4. <tr> <td align="left" valign="top"><script>alert(1);</script> requestee: </td> <td align="left" valign="top"> <div class="user_match"> <b>mail@examplemail.example</b> <font color="#FF0000">did not match anything</font> </div> </td> </tr>
Assignee | ||
Updated•12 years ago
|
Assignee: create-and-change → attach-and-request
Component: Creating/Changing Bugs → Attachments & Requests
OS: Linux → All
Hardware: x86 → All
Assignee | ||
Comment 1•12 years ago
|
||
Maybe something like this? Not exactly sure why this particular thing was getting exempted from the filter... This code has been around since bug 172518.
Assignee: attach-and-request → reed
Status: NEW → ASSIGNED
Attachment #660071 -
Flags: review?(LpSolit)
Comment 2•12 years ago
|
||
Comment on attachment 660071 [details] [diff] [review] patch - v1 (untested) There is indeed no reason to make an exception for flag names, even if they are controlled by users with editcomponents privs only. As only power users can edit flag types, this bug is fortunately not critical. r=LpSolit
Attachment #660071 -
Flags: review?(LpSolit) → review+
Comment 3•12 years ago
|
||
Approved for all supported branches (I checked that 3.6 was affected too). As flag types are controlled by power users only, there is no need for a security advisory. Simply remove the security flag once the patch is checked in.
Flags: approval4.4+
Flags: approval4.2+
Flags: approval4.0+
Flags: approval3.6+
Flags: approval+
Target Milestone: --- → Bugzilla 3.6
Assignee | ||
Updated•12 years ago
|
Summary: Flags XSS → Flag names are not properly escaped when displayed on confirm user match page
Assignee | ||
Updated•12 years ago
|
Assignee | ||
Comment 4•12 years ago
|
||
Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/trunk/ modified template/en/default/filterexceptions.pl modified template/en/default/global/confirm-user-match.html.tmpl Committed revision 8388. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.4/ modified template/en/default/filterexceptions.pl modified template/en/default/global/confirm-user-match.html.tmpl Committed revision 8386. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.2/ modified template/en/default/filterexceptions.pl modified template/en/default/global/confirm-user-match.html.tmpl Committed revision 8137. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/4.0/ modified template/en/default/filterexceptions.pl modified template/en/default/global/confirm-user-match.html.tmpl Committed revision 7724. Committing to: bzr+ssh://bzr.mozilla.org/bugzilla/3.6/ modified template/en/default/filterexceptions.pl modified template/en/default/global/confirm-user-match.html.tmpl Committed revision 7300.
Group: bugzilla-security
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 6•12 years ago
|
||
This is a sec-low rated bug so it does not qualify for a bounty.
You need to log in
before you can comment on or make changes to this bug.
Description
•