Closed
Bug 828925
Opened 12 years ago
Closed 12 years ago
Inserting a quote into the wifi hotspot ssid or password breaks the hotspot settings page
Categories
(Firefox OS Graveyard :: Gaia::Settings, defect)
Firefox OS Graveyard
Gaia::Settings
Tracking
(blocking-b2g:leo+, blocking-basecamp:-, firefox18 wontfix, firefox19 wontfix, b2g18+ fixed)
RESOLVED
FIXED
People
(Reporter: mrbkap, Assigned: gasolin)
References
Details
Attachments
(2 files)
+++ This bug was initially created as a clone of Bug #828909 +++
STR:
1. Set the ssid to: asdf"fdsa
Expected:
The ssid and password show up.
Actual:
I see
E/GeckoConsole( 7954): [JavaScript Error: "SyntaxError: An invalid or illegal string was specified" {file: "app://settings.gaiamobile.org/js/settings.js" line: 40}]
and the ssid and password are empty.
Updated•12 years ago
|
Assignee: nobody → mbudzynski
Updated•12 years ago
|
blocking-basecamp: ? → -
tracking-b2g18:
--- → +
Comment 1•12 years ago
|
||
Attachment #700981 -
Flags: review?(kaze)
Comment 2•12 years ago
|
||
Comment on attachment 700981 [details]
patch
NOTE: If blocking-basecamp+ is set, just land it for now.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): ?
User impact if declined: text inputs containing a quote sign will be lost
Testing completed: manual
Risk to taking this patch (and alternatives if risky): very low
Attachment #700981 -
Flags: review?(kaze)
Attachment #700981 -
Flags: review+
Attachment #700981 -
Flags: approval-gaia-master?(21)
Comment 3•12 years ago
|
||
:michalbe, I take a look of this patch, and left a comment on Github, could you please take a look of it. Thanks!
Comment 4•12 years ago
|
||
Comment on attachment 700981 [details]
patch
I'm removing the a? flag until Evelyn says this is fine for her.
Attachment #700981 -
Flags: approval-gaia-master?(21)
Updated•12 years ago
|
Flags: needinfo?(ehung)
Comment 5•12 years ago
|
||
I made the dangerous CSS query selector before (my bad. :( ), and I think the patch didn't actually fix the problem. We always can input some weird characters to break the query selector. I'm trying to find a better way to check whether the setting comes from a select option.
I will propose a patch later.
Flags: needinfo?(ehung)
Comment 6•12 years ago
|
||
Comment on attachment 700981 [details]
patch
r=me, sorry I don't think we should just fix double quote case here. For me, it's much like a workaround.
Attachment #700981 -
Flags: review+ → review-
Comment 9•12 years ago
|
||
I think it a potential vulnerability, because the user can input any strings to make a dangerous CSS query, so I'd like to nominate it.
and I ask Fred's help on this issue.
Assignee: ehung → gasolin
blocking-b2g: --- → leo?
Assignee | ||
Comment 10•12 years ago
|
||
Attachment #718874 -
Flags: review?(ehung)
Updated•12 years ago
|
blocking-b2g: leo? → leo+
Comment 11•12 years ago
|
||
Comment on attachment 718874 [details]
query the select element then iterate options to set the matched value
r=me, Thanks for fixing this issue. :-)
Attachment #718874 -
Flags: review?(ehung) → review+
Assignee | ||
Comment 12•12 years ago
|
||
merged to gaia-master
https://github.com/mozilla-b2g/gaia/commit/d8036b7244d5d3d34d65099722b3aefbfb6f50a8
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 13•12 years ago
|
||
Uplifted commit d8036b7244d5d3d34d65099722b3aefbfb6f50a8 as:
v1-train: 23bb64d13d89571735b836dae1b0f57ef71d0b50
status-b2g18:
--- → fixed
Updated•11 years ago
|
Flags: in-moztrap?
Comment 14•11 years ago
|
||
Created a test case for having special characters in the SSID/ Password.
https://moztrap.mozilla.org/manage/cases/?filter-id=8752
Flags: in-moztrap? → in-moztrap+
You need to log in
before you can comment on or make changes to this bug.
Description
•