SecReview: Update Mozilla Hacks WordPress Editorial Calendar plugin

VERIFIED FIXED

Status

mozilla.org
Security Assurance: Review Request
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: Robert Nyman, Assigned: st3fan)

Tracking

Details

(Whiteboard: [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd])

(Reporter)

Description

5 years ago
More info at https://hacks.mozilla.org/wp-admin/plugins.php?plugin_status=upgrade
Whiteboard: [pending secreview] → [pending secreview][triage needed]
Assignee: nobody → mfuller
Whiteboard: [pending secreview][triage needed] → [pending secreview][start yyyy-mm-dd][target yyyy-mm-dd]

Updated

5 years ago
Blocks: 793148

Comment 1

5 years ago
I'm assigning Stefan to this bug, as it looks like a good first WP review for him to do.
Assignee: mfuller → sarentz
(Assignee)

Updated

5 years ago
Status: NEW → ASSIGNED
(Assignee)

Comment 2

5 years ago
Robert, just to be sure, this is about the following plugin right?

http://wordpress.org/extend/plugins/editorial-calendar/
(Assignee)

Comment 3

5 years ago
I reviewed version 2.5

In the PHP code my only worry is the edcal_echoFile() function, which states "This is a utility function to open a file add it to our output stream." It seems however that this is only used with hard-coded file names that are relative to dirname(__FILE__).

The AJAX calls are protected by a nonce (csrf token) so that is good.

The app only does queries on posts using the the provided Wordpress APIs.

It does not execute shell commands. It does not reimplement Wordpress functionalty and instead uses wordpress provided functions.

Most of the work is done in JavaScript.

The JS code has unit tests, which "It is only loaded if you add the qunit=true parameter to the URL for the calendar." I would recommend to simply delete the edcal_tests.js file completely from the deployment

The lib directory contains a lot of JS libraries. Might be a good idea to remove all libraries that are not used for this deployment. The following are optional and not used in a default install I think: (see edcal_scripts()) jquery.bgiframe.js, humanmsg.js, jquery.timepicker.js, tools.scrollable-1.1.2.js, tools.scrollable.mousewheel-1.0.1.js, json2.js

The admin UI (The new Calendar option under Posts) does its work by making AJAX calls to the PHP code. All calls are CSRF protected (Wordpress calls it a reqyest nonce) so it is very difficult to redirect a malicious link to this plugin.
(Assignee)

Comment 4

5 years ago
Using ZAP I have tried to forge requests to the admin AJAX code to post new entries. The code seems to correctly check the nonce and cookie (session) and does not allow me to make changes without being properly logged in.
(Reporter)

Comment 5

5 years ago
Thanks for evaluating!
This plugin isn't that important to the Hacks blog, so if it has issues, we don't have to use it.

Just let me know what you prefer.

Thanks!
(Assignee)

Comment 6

5 years ago
Hi Robert, I think it is all good. This is my first review so I just need to follow up with my colleagues on how to officially sign off on it tomorrow.
(Reporter)

Comment 7

5 years ago
No worries, I appreciate the dedication and doing it properly! :-)
(Assignee)

Updated

5 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Assignee)

Updated

5 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.