Launchpad itself

InlineMultiCheckboxWidget renders unescaped JSON

Bug #741624 reported by William Grant
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Critical
Deryck Hodge
Launchpad itself 11.05

Bug Description

InlineMultiCheckboxWidget renders a whole lot of structures to JSON, then sticks them into a template tag with "structure", so they are left unescaped.

Tags: qa-ok

Related branches

lp:~deryck/launchpad/inline-multicheckbox-xss-741624
Benji York (community): Approve (code)
Diff: 12 lines (+1/-1)
1 file modified
lib/lp/app/templates/inline-multicheckbox-widget.pt (+1/-1)
Deryck Hodge (deryck)
Changed in launchpad:
status: Triaged → In Progress
assignee: nobody → Deryck Hodge (deryck)
Revision history for this message
Deryck Hodge (deryck) wrote :

I can't reproduce this. I've been playing on a +recipe page on the dev server, after I created a recipe for one of the sample data branches. I've created a new distro series with the name "Foo <script>alert('gotcahs!');</script>" and the widget escapes that name on the page. I also hacked the doc test for the widget and see escaped tags.

Am I looking at the wrong page, the wrong widget, or is there somewhere else that uses this widget? Or else, how can I reproduce this?

Revision history for this message
Curtis Hovey (sinzui) wrote :

~wallyworld fixed the related bug 741639, perhaps we should assign the bug to him and mark it fixed released if we can verify his diff fixes the issue.

Revision history for this message
Deryck Hodge (deryck) wrote :

As we mentioned on IRC, I think the fix for displayname removes much danger from this, but I see now what William means about the use of structure in the bug report here. Seems a trivial fix to just remove the use of structure from the tal that build the js initializing the widget.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r12921 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/12921>.

Changed in launchpad:
milestone: none → 11.05
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Deryck Hodge (deryck)
tags: added: qa-ok
removed: qa-needstesting
Brad Crittenden (bac)
Changed in launchpad:
status: Fix Committed → Fix Released
William Grant (wgrant)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.