this is harmless: a user can xss themselves on deleting an ssh key
Bug #740160 reported by
David
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Fix Released
|
Critical
|
Deryck Hodge | ||
Bug Description
This is totally controlled / caused by the user... However, a bug is a bug so I am reporting this anyway.
A user needs to add an ssh key where the 'username' and the 'host' field are something like this:
'x<script>
and then delete the key.
When the key is deleted there is a dialogue telling the user that the key with $username @ $host has been deleted. In this message the username / host data is not escaped and so this is a potential (and harmless - it cannot alone be used to xss a random user and it is totally user triggered / involved) xss vector.
Related branches
lp://staging/~deryck/launchpad/xss-deleting-ssh-key-740160
- Brad Crittenden (community): Approve (code)
-
Diff: 59 lines (+26/-5)2 files modifiedlib/lp/registry/browser/person.py (+1/-1)
lib/lp/registry/browser/tests/test_sshkey.py (+25/-4)
| Changed in launchpad: | |
| status: | New → Triaged |
| importance: | Undecided → Low |
Revision history for this message
| Robert Collins (lifeless) wrote | #1 |
| Changed in launchpad: | |
| importance: | Low → Critical |
Revision history for this message
| Robert Collins (lifeless) wrote | #2 |
| security vulnerability: | no → yes |
| Changed in launchpad: | |
| status: | Triaged → In Progress |
| assignee: | nobody → Deryck Hodge (deryck) |
Revision history for this message
| Launchpad QA Bot (lpqabot) wrote | #3 |
| Changed in launchpad: | |
| milestone: | none → 11.05 |
| tags: | added: qa-needstesting |
| Changed in launchpad: | |
| status: | In Progress → Fix Committed |
| tags: |
added: qa-ok removed: qa-needstesting |
| Changed in launchpad: | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
No such thing as harmless xss :)