Closed Bug 45784 Opened 24 years ago Closed 24 years ago

Bugzilla truncates URLs containing double quotes

Categories

(Bugzilla :: Bugzilla-General, defect, P3)

defect

Tracking

()

VERIFIED FIXED
Bugzilla 2.12

People

(Reporter: sfraser_bugs, Assigned: jacob)

References

()

Details

(Whiteboard: 2.12)

Attachments

(2 files)

Bugzilla truncates URLs containing double quotes. In the ULR field, I typed: javascript:prompt("Hello");
jst just hit this in bug 62517.
I can set a url containing the double-quote character when I create the bug or later, and e-mails show that the field is updated correctly. When I visit the bug, however, I don't see the " or anything after it, and when I submit additional changes to the bug, the value actually gets truncated. What's happening is that show_bug.cgi isn't escaping quotes in the url when it puts the url as the value for the "url" textbox. It also doesn't escape quotes for the href of the "url" link next to the textbox. This is a security hole that allows me to make you run a script that seems to come from bugzilla.mozilla.org (I've set up a demonstration at an old "test bug", bug bug 31322). It's not that much easier to exploit than bug 38862, which requires me to get you to click on an attachment and which doesn't seem likely to be fixed soon, but I still think this bug should be fixed for 2.12.
Whiteboard: 2.12
Blocks: 38852
The attached patch adds value_quote() to the part of the code that puts the URL in the text box. It also performs a $URL =~ s/"/\%22/g; to the URL that gets linked for the label.
Keywords: patch, review
In talking on IRC it became apparent that value_quote() would also work for the $URL. This updated patch includes that.
OS: Mac System 8.5 → All
-> jake
Assignee: tara → jake
Severity: normal → critical
Status: NEW → ASSIGNED
checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Sorry for the spam, but I needed to be able to query for all of these correctly.
Target Milestone: --- → Bugzilla 2.12
Status: RESOLVED → VERIFIED
VERIFIED. Gerv
Moving closed bugs to Bugzilla product
Component: Bugzilla → Bugzilla-General
Product: Webtools → Bugzilla
Version: other → unspecified
QA Contact: matty_is_a_geek → default-qa
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: