Launchpad itself

A users displayname is not URLENCODED when javascript is generated

Bug #270679 reported by John O'Brien
254
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Critical
Guilherme Salgado
Launchpad itself 2.1.9

Bug Description

In the new mapping feature, the user's displayname is used to generate the JavaScript to link to render the map. This throws a javascript error when a user's name has an value that needs to be escaped (i.e O'Brien)

https://edge.launchpad.net/~<user>/+editlocation

The error is in canonical/widgets/location.py (line 124) when the renderLargeMap Javascript code is generated.
           <script type="text/javascript">
                renderLargeMap(
                    %(center_lat)s, %(center_lng)s, '%(displayname)s',
                    '%(name)s', '%(logo_html)s', '%(lat_name)s',
                    '%(lng_name)s', '%(tz_name)s', %(zoom)s, %(show_marker)s);
            </script>

This could theoretically be open to XSS security issue.

Revision history for this message
Guilherme Salgado (salgado) wrote :

In practice this is not a big deal because the +editlocation page is restricted with launchpad.Edit (which means only the user himself or a LP admin can see it).

Also, it doesn't seem to be exploitable -- having any sort of JS code in a person's display name seems to break the rendering of the widget. Were you able to actually exploit, John?

Guilherme Salgado (salgado)
Changed in launchpad:
assignee: nobody → salgado
status: New → Triaged
Revision history for this message
John O'Brien (jdobrien) wrote : Re: [Bug 270679] Re: A users displayname is not URLENCODED when javascript is generated

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the quick response.
My real annoyance was that i got an error when i tried to edit my
location...however i do think there is a potential for someone with
the time could find a way to do something mischievous.

I didn't try anything malicious, but I was able to get an alert to
come up. Note most of the output is properly escaped, but not the
user input was placed as is in the javascript block. (note i said it
should be UrlEncoded when it should be JSEncoded and escaped.

Full page: https://pastebin.canonical.com/9190/

Excerpt (sorry for the formatting):
            <script type="text/javascript">
                renderLargeMap(
                    28.4288546498, -80.7137954235,
'');alert('Yes');</script>x='',
                    'jdobrien', '<img alt="" width="64" height="64"
src="/@@/person-logo" />', 'field.location.latitude',
                    'field.location.longitude',
'field.location.time_zone', 9, 1);
            </script>

Guilherme Salgado wrote:
> In practice this is not a big deal because the +editlocation page is
> restricted with launchpad.Edit (which means only the user himself or a
> LP admin can see it).
>
> Also, it doesn't seem to be exploitable -- having any sort of JS code in
> a person's display name seems to break the rendering of the widget.
> Were you able to actually exploit, John?
>
 -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIzxq/Z7eBzUp0J0wRAqjWAJ495ITIRPcWyJ0qWJmGvTczmewjowCgodIP
KiwbqjCZYXzZOXjNMHOa2dk=
=in4G
-----END PGP SIGNATURE-----

Guilherme Salgado (salgado)
Changed in launchpad:
importance: Undecided → Critical
milestone: none → 2.1.9
status: Triaged → In Progress
Revision history for this message
Guilherme Salgado (salgado) wrote :

landed on mainline r7026

Changed in launchpad:
status: In Progress → Fix Committed
Guilherme Salgado (salgado)
Changed in launchpad:
status: Fix Committed → Fix Released
William Grant (wgrant)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.