Contacts' "new" activity does not validate parameters

RESOLVED WONTFIX

Status

Firefox OS
Gaia::Contacts
P4
normal
RESOLVED WONTFIX
5 years ago
4 months ago

People

(Reporter: st3fan, Unassigned)

Tracking

unspecified
x86
Mac OS X

Firefox Tracking Flags

(tracking-b2g:backlog)

Details

(Reporter)

Description

5 years ago
The parameters of the "new" activity are not properly validated.

There are two: id and extras. Both of these are copied from the activity to the page request parameters and then used later.

I don't think you can do anything evil with the id parameter but it looks like the "extras" entries are blindly copied to a contact template.

This is where the params are copied: https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/contacts/js/activities.js#L32

And this is where they are used: https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/contacts/js/contacts.js#L79

Comment 1

5 years ago
Are blindly copied, by escaped when displaying. When you said something evil you meant scripts injection or something I'm missing?
Thanks!
(Reporter)

Comment 2

5 years ago
Alberto, I don't know. I did not find any documentation on what parameters the activity accepts nor did I find a list in the code to limit what it accepts. I just think something needs to look at this to make sure no surprises can happen.

Comment 3

5 years ago
Makes sense to check with more care those parameters. I'll do that and avoiding 'new' becoming an 'update' activity.
Thanks for the review!
blocking-b2g: --- → backlog
Whiteboard: priority=4
(Assignee)

Updated

3 years ago
blocking-b2g: backlog → ---
tracking-b2g: --- → backlog
Priority: -- → P4
Whiteboard: priority=4

Comment 4

4 months ago
Firefox OS is not being worked on
Status: NEW → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.