Closed
Bug 800812
Opened 12 years ago
Closed 12 years ago
SecReview: Update Mozilla Hacks WordPress Editorial Calendar plugin
Categories
(mozilla.org :: Security Assurance: Review Request, task)
mozilla.org
Security Assurance: Review Request
Tracking
(Not tracked)
VERIFIED
FIXED
People
(Reporter: robert, Assigned: st3fan)
References
Details
(Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd])
|
||
Updated•12 years ago
|
Whiteboard: [pending secreview] → [pending secreview][triage needed]
|
|
||
Updated•12 years ago
|
Assignee: nobody → mfuller
Whiteboard: [pending secreview][triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]
|
||
Comment 1•12 years ago
|
||
I'm assigning Stefan to this bug, as it looks like a good first WP review for him to do.
Assignee: mfuller → sarentz
|
Assignee | |
Updated•12 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•12 years ago
|
||
Robert, just to be sure, this is about the following plugin right?
http://wordpress.org/extend/plugins/editorial-calendar/
|
|
Assignee | |
Comment 3•12 years ago
|
||
I reviewed version 2.5
In the PHP code my only worry is the edcal_echoFile() function, which states "This is a utility function to open a file add it to our output stream." It seems however that this is only used with hard-coded file names that are relative to dirname(__FILE__).
The AJAX calls are protected by a nonce (csrf token) so that is good.
The app only does queries on posts using the the provided Wordpress APIs.
It does not execute shell commands. It does not reimplement Wordpress functionalty and instead uses wordpress provided functions.
Most of the work is done in JavaScript.
The JS code has unit tests, which "It is only loaded if you add the qunit=true parameter to the URL for the calendar." I would recommend to simply delete the edcal_tests.js file completely from the deployment
The lib directory contains a lot of JS libraries. Might be a good idea to remove all libraries that are not used for this deployment. The following are optional and not used in a default install I think: (see edcal_scripts()) jquery.bgiframe.js, humanmsg.js, jquery.timepicker.js, tools.scrollable-1.1.2.js, tools.scrollable.mousewheel-1.0.1.js, json2.js
The admin UI (The new Calendar option under Posts) does its work by making AJAX calls to the PHP code. All calls are CSRF protected (Wordpress calls it a reqyest nonce) so it is very difficult to redirect a malicious link to this plugin.
|
|
Assignee | |
Comment 4•12 years ago
|
||
Using ZAP I have tried to forge requests to the admin AJAX code to post new entries. The code seems to correctly check the nonce and cookie (session) and does not allow me to make changes without being properly logged in.
|
Reporter | |
Comment 5•12 years ago
|
||
Thanks for evaluating!
This plugin isn't that important to the Hacks blog, so if it has issues, we don't have to use it.
Just let me know what you prefer.
Thanks!
|
|
Assignee | |
Comment 6•12 years ago
|
||
Hi Robert, I think it is all good. This is my first review so I just need to follow up with my colleagues on how to officially sign off on it tomorrow.
|
|
Reporter | |
Comment 7•12 years ago
|
||
No worries, I appreciate the dedication and doing it properly! :-)
|
|
Assignee | |
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•