If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Kill longdesclength

RESOLVED FIXED in Bugzilla 5.0

Status

()

Bugzilla
Creating/Changing Bugs
--
enhancement
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: Frédéric Buclin, Assigned: Frédéric Buclin)

Tracking

Bugzilla 5.0
Bug Flags:
approval +

Details

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
The longdesclength parameter is used for midair collisions only, to know how many comments to display in the midair collision page, and to decide if this page should be displayed or not. One way to abuse the validator is to pass a large enough number so that

  my $do_midair = scalar @$comments > $start_at ? 1 : 0;

always returns 0. As we know delta_ts, we should use it instead to determine if there are new comments. If the attacker also tries to hack delta_ts (if set to a date in the future, the midair collision check will be happy and let it go through), then the token check will catch the timestamp mismatch and so there is no way for the attacker to go past this step.
(Assignee)

Comment 1

4 years ago
Created attachment 829773 [details] [diff] [review]
patch, v1
Assignee: create-and-change → LpSolit
Status: NEW → ASSIGNED
Attachment #829773 - Flags: review?(dkl)
(Assignee)

Comment 2

4 years ago
FYI, sort_order in bug/comments.html.tmpl is no longer used since Bugzilla 4.2, see bug 827983.
Comment on attachment 829773 [details] [diff] [review]
patch, v1

Review of attachment 829773 [details] [diff] [review]:
-----------------------------------------------------------------

r=dkl
Attachment #829773 - Flags: review?(dkl) → review+

Updated

4 years ago
Flags: approval?

Updated

4 years ago
Flags: approval? → approval+
(Assignee)

Comment 4

4 years ago
Committing to: bzr+ssh://lpsolit%40gmail.com@bzr.mozilla.org/bugzilla/trunk/
modified email_in.pl
modified process_bug.cgi
modified template/en/default/bug/comments.html.tmpl
modified template/en/default/bug/edit.html.tmpl
modified template/en/default/bug/process/midair.html.tmpl
Committed revision 8812.
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → Bugzilla 5.0
You need to log in before you can comment on or make changes to this bug.