User autocomplete selector in Mail composer not escaping the name

Bug #1719472 reported by Robert Lyon on 2017-09-25
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Robert Lyon
16.04
High
Unassigned
16.10
High
Unassigned
17.04
High
Unassigned
17.10
High
Robert Lyon

Bug Description

This means that a user can set a bad name and compromise another user

To reproduce:

*) Login as "user1"
*) Click on "Main menu" - "Content" - "Profile" - "About me"
*) Insert at "First name" or "Last name" or "Display name":

<script>alert(1)</script>

*) Save with "Save profile"

*) Click on "User menu" - "0 unread" - "Compose"
*) Send a message to another user, for example:

Recipients: user2
Subject: Hello
Message: Please reply

*) Send the message with "Send message"
*) Logout as "user1"

*) Login as "user2"
*) Open the received message in the dashboard ("Inbox")
*) Click on "Reply"
*) The alert dialog appears

To fix:
Normally when we show a user's name to screen we filter it via hsc()
But in this case the name is being fetched by the autocomplete pieform element via the translate_ids_to_names() function without being escaped.

So we need to escape it before returning the name

Revision history for this message
Robert Lyon (robertl-9) wrote :
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/8208
Committed: https://git.mahara.org/mahara/mahara/commit/13fa6facb342b7a58df517f7d59ba396c1863b94
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.04_STABLE

commit 13fa6facb342b7a58df517f7d59ba396c1863b94
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 11:27:34 2017 +1300

Bug 1719472: Escape user's display_name() when supplying to autocomplete

behatnotneeded

Change-Id: I4b342a0d3f00015e8f2e0ff7d93d2b5198fbc32d
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 86711cb835dcd87208170df32e3405cd0467e1cf)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8207
Committed: https://git.mahara.org/mahara/mahara/commit/fa531905b49096f071351e4381e42660f48944d5
Submitter: Robert Lyon (<email address hidden>)
Branch: 16.10_STABLE

commit fa531905b49096f071351e4381e42660f48944d5
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 11:27:34 2017 +1300

Bug 1719472: Escape user's display_name() when supplying to autocomplete

behatnotneeded

Change-Id: I4b342a0d3f00015e8f2e0ff7d93d2b5198fbc32d
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 86711cb835dcd87208170df32e3405cd0467e1cf)

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/8206
Committed: https://git.mahara.org/mahara/mahara/commit/a99dbced72c6fd76d0589bcac6e4af8db330c4bd
Submitter: Robert Lyon (<email address hidden>)
Branch: 17.04_STABLE

commit a99dbced72c6fd76d0589bcac6e4af8db330c4bd
Author: Robert Lyon <email address hidden>
Date: Tue Sep 26 11:27:34 2017 +1300

Bug 1719472: Escape user's display_name() when supplying to autocomplete

behatnotneeded

Change-Id: I4b342a0d3f00015e8f2e0ff7d93d2b5198fbc32d
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 86711cb835dcd87208170df32e3405cd0467e1cf)

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers