Closed
Bug 38859
Opened 25 years ago
Closed 24 years ago
createaccount.cgi needs to escape untrusted value for e-mail address (but maybe de-escape @ symbol)
Categories
(Bugzilla :: Bugzilla-General, defect, P3)
Tracking
()
RESOLVED
FIXED
Bugzilla 2.14
People
(Reporter: jruderman, Assigned: tara)
References
()
Details
(Whiteboard: security)
Attachments
(3 files)
|
(deleted),
patch
|
Details | Diff | Splinter Review | |
|
(deleted),
patch
|
Details | Diff | Splinter Review | |
|
(deleted),
patch
|
Details | Diff | Splinter Review |
No description provided.
|
Reporter | |
Comment 1•25 years ago
|
||
occurs on both createaccount.cgi and the "log in" link at the bottom.
this escaping might need to be done on both branches (password e-mailed, bogus
e-mail address).
|
||
Updated•24 years ago
|
Whiteboard: 2.14
|
||
Updated•24 years ago
|
Whiteboard: 2.14 → 2.14,security
|
||
Comment 2•24 years ago
|
||
moving to real milestones...
Whiteboard: 2.14,security → security
Target Milestone: --- → Bugzilla 2.14
|
||
Comment 3•24 years ago
|
||
|
|
||
Comment 4•24 years ago
|
||
This attachment patches CGI.pl's CheckEmailSyntax function to escape the
characters < , > , and & in the invalid email address that gets displayed to the
user as part of the error message when the user submits an invalid address.
This method of filtering bad characters is generally considered less secure than
the alternate approach of allowing good characters (see f.e. the CERT advisory
linked from bug 38856). Is it sufficient in this situation?
The most secure approach in this situation is not to display the invalid email
address at all, which is the approach I took in the data validation error
messages in bug 38854 and bug 38855.
|
|
||
Comment 5•24 years ago
|
||
|
|
||
Updated•24 years ago
|
|
||
Comment 6•24 years ago
|
||
Hmm... which one's better? Guess that's the question. Showing the e-mail
address as typed allows the user to see if they made a typo so they can slap
themselves on the forehead (BTW, that encoding could be done w/the
'html_quote()' sub). I think that would be considered "good enough" as it's the
routine used to sanitize everything else sent to the user (such as this
comment :)
|
|
||
Comment 7•24 years ago
|
||
|
|
||
Comment 8•24 years ago
|
||
OK, looks good to me.
r=jake
|
|
||
Comment 9•24 years ago
|
||
r= justdave
Checked in.
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
|
||
Comment 10•23 years ago
|
||
Moving to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
|
||
Updated•12 years ago
|
QA Contact: matty_is_a_geek → default-qa
You need to log in
before you can comment on or make changes to this bug.
Description
•