Context Navigation

Modify ↓

#7912 closed defect (fixed)

Milestone etc. values for ticket query filters are not escaped

Reported by:	joeray123@…	Owned by:	Jonas Borgström
Priority:	highest	Milestone:	0.11.3
Component:	report system	Version:	0.11.2.1
Severity:	normal	Keywords:	security
Cc:	osimons	Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Values that are placed into select boxes to filter queries are not escaped, meaning an XSS attack is possible.

How to reproduce

Create a milestone that has " characters in it, e.g:

'Hello "]}}; alert("test"); properties = {milestone: {options: ["'

Trac version: tested on 0.11.1 and 0.11.2.1

Attachments (0)

Change History (4)

comment:1 by osimons, 17 years ago

Keywords:	security added
Milestone:	→ 0.11.3
Priority:	normal → highest

Thanks for the report. It seems we populate the various values into a JS inline script, and for some reason we enclose the option value in a set of "" quotes which basically nullifies the escape-by-default behavior.

This diff fixes the issue, and as far as I can see custom query continues to work as expected. Could someone else please confirm the fix, and is this serious enough to warrant a security release? It only affects meta-data, that very seldom can be modified by regular users. However, no doubt risks could exist depending on the setup of individual Trac sites.

trac/ticket/templates/query.html

-              a
         <py:for each="(field_name, field), sep in separated(fields.iteritems())">
           $field_name: { type: "$field.type", label: "$field.label"
           <py:if test="'options' in field">, options: [
             <py:for each="option, sep in separated(field.options)">"$option"$sep
+            <py:for each="option, sep in separated(field.options)">$option$sep
             </py:for>]
           </py:if>}$sep
         </py:for>

comment:2 by osimons, 17 years ago

Cc:	osimons added

comment:3 by Jonas Borgström, 17 years ago

Resolution:	→ fixed
Status:	new → closed

Fixed in [7786] and [7788] by introducing a new javascript_quote function in text.py.

comment:4 by Christian Boos, 17 years ago

Owner:	set to Jonas Borgström

Modify Ticket

Change Properties

Summary:
Description:	Values that are placed into select boxes to filter queries are not escaped, meaning an XSS attack is possible. == How to reproduce == Create a milestone that has " characters in it, e.g: {{{ 'Hello "]}}; alert("test"); properties = {milestone: {options: ["' }}} Trac version: tested on 0.11.1 and 0.11.2.1 You may use WikiFormatting here.
Type:		Priority:
Milestone:		Component:
Version:		Severity:
Keywords:		Cc:	Set your email in Preferences
Branch:
Release Notes:
API Changes:
Internal Changes:

Action

leave as closed The owner will remain Jonas Borgström.

reopen The resolution will be deleted. Next status will be 'reopened'.

change ownership to The owner will be changed from Jonas Borgström to the specified user.

Add Comment

Your email or username:

E-mail address and name can be saved in the Preferences .

You may use WikiFormatting here.

Attachments ↑ Description ↑

Note: See TracTickets for help on using tickets.

Download in other formats: