XSS in error message display function (problem-not-found)
Bug #2046565 reported by
Tom Reynolds
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Errors |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
https:/
This deployment of the error tracker also lacks security headers such as CSP, and imports Yahoo APIs via plain HTTP.
(Also, TLSv1.0 and v1.1 and many of the currently supported TLSv1.2 cipher suites ought to be disabled on any production sites nowadays.)
Related branches
lp:~hyask/errors/xss_2046565
- Brian Murray (community): Approve
-
Diff: 32 lines (+3/-3)2 files modifiederrors/templates/main.html (+1/-1)
errors/views.py (+2/-2)
description: | updated |
description: | updated |
information type: | Private Security → Private |
information type: | Private → Private Security |
information type: | Private Security → Public Security |
To post a comment you must log in.
Regarding the XSS, I had a brief look and I wonder if the following (completely untested) might work to fix this - @bdmurray, is there a staging environment for errors.ubuntu.com where we could try and test this?
=== modified file 'errors/ templates/ main.html' templates/ main.html 2023-11-20 23:51:36 +0000 templates/ main.html 2024-04-11 21:20:56 +0000
msg = 'That bug does not have a matching crash signature in ' +
'this database yet.'; not-found' ] != undefined) { not-found' ] + not-found' ].replace( /[^a-fA- F0-9]/gim, '') +
'\' could not be found.';
--- old/errors/
+++ new/errors/
@@ -56,7 +56,7 @@
} else if (qs['problem-
- msg = 'The problem \'' + qs['problem-
+ msg = 'The problem \'' + qs['problem-
}
if (msg != '') {
=== modified file 'errors/views.py' irect(' /')
--- old/errors/views.py 2022-03-15 16:24:57 +0000
+++ new/errors/views.py 2024-04-11 21:16:05 +0000
@@ -32,7 +32,7 @@
return HttpResponseRed
if not cassie. bucket_ exists( bucketid) : irect(' /?problem- not-found= ' + bucketid) irect(' /?problem- not-found= ' + quote(bucketid))
- return HttpResponseRed
+ return HttpResponseRed
traceback = cassie. get_traceback_ for_bucket( bucketid) get_metadata_ for_bucket( bucketid) irect(' /?problem- not-found= ' + hashed) irect(' /?problem- not-found= ' + quote(hashed))
metadata = cassie.
@@ -151,5 +151,5 @@
else:
bucketid = None
if not bucketid:
- return HttpResponseRed
+ return HttpResponseRed
return bucket(request, bucketid, hashed)