919357 - Needinfo extension does not escape user names

Status: RESOLVED FIXED

(bugzilla.mozilla.org :: Extensions, defect)

Description

[Simon Green]

Attachment: needinfo-fix-v1.patch

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)
Build ID: 20130917102605

Steps to reproduce:

1) Visit https://bugzilla.mozilla.org/show_bug.cgi?id=469018
2) Towards the bottom of the page, change the needinfo to the assignee


Actual results:

Displays 'Simon Green'


Expected results:

Displays 'Simon Green <sgreen@redhat.com>'

Comment 1

[Simon Green]

Marking this as a security bug, since it would not escape a user name that contained Javascript for example. This could lead to all sort of nasties.

Comment 2

[:glob ✱]

Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bmo/4.2/
modified extensions/Needinfo/template/en/default/bug/needinfo.html.tmpl
Committed revision 9029.

Comment 4

[Gervase Markham [:gerv]]

How can we make this less likely to happen in the future? Have and use a combined htmljs filter? Get some lint thing to specifically check for both html and js escaping between <script> tags?

Gerv

Comment 5

[Daniel Veditz [:dveditz]]

Given the user interaction required I find it hard to rate this as sec-critical. Your best bet at pulling this off as an attack is to file a concerning but incomplete bug against your potential victim and hope they needinfo? the reporter rather than just ask in a comment. And do so without having initially noticed that your user name at the top of the bug report included "<script src=attack.js>" or whatever.