URL auto-linking linkifies data: URLs

Bug #1021129 reported by William Grant
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Critical
Curtis Hovey

Bug Description

Bug #276726 asked that data: URLs be linkified, and it was made so. But the bug was misguided; data: links, at least in Firefox, execute within the origin of the page that contains them. So you can XSS nicely by providing a data:text/html;base64,blahblahblah URL.

Related branches

Curtis Hovey (sinzui)
Changed in launchpad:
assignee: nobody → Curtis Hovey (sinzui)
status: Triaged → In Progress
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Revision history for this message
Curtis Hovey (sinzui) wrote :

Removing the data protocol from the string formatter didn't work. This needs more looking into.

Changed in launchpad:
status: Fix Committed → In Progress
tags: added: qa-ok
removed: qa-needstesting
Revision history for this message
William Grant (wgrant) wrote :

It's in there twice. Once in the regex to do the actual linkification, and once in a list to avoid linkifying schema-only URLs.

Revision history for this message
Launchpad QA Bot (lpqabot) wrote :
tags: added: qa-needstesting
removed: qa-ok
Changed in launchpad:
status: In Progress → Fix Committed
William Grant (wgrant)
tags: added: qa-ok
removed: qa-needstesting
William Grant (wgrant)
Changed in launchpad:
status: Fix Committed → Fix Released
visibility: private → public
Curtis Hovey (sinzui)
tags: added: disclosure
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers