This repository has been archived by the owner on Dec 11, 2019. It is now read-only.
validate that devServerPort is numeric #4753
Comments
diracdeltas
added a commit
that referenced
this issue
Oct 13, 2016
quick fix for #4753 Auditors: @bridiver Test Plan: 1. open any page 2. open console, enter window.open("chrome-extension://mnojpmjdmbbfmejpflffifhffcmidifd/about-flash.html?devServerPort=foo@test.com/") 3. verify that the opened tab shows about:flash without logging console errors about scripts blocked due to CSP
|
I couldn't get it to load test.com even when I tried to alter the CSP to allow it. Adding the username password made the entry invalid and it didn't work with just test.com, but calling |
|
fixed by d0a361a |
This was referenced Oct 14, 2016
This was referenced Oct 16, 2016
102 tasks
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
in https://github.com/brave/browser-laptop/blob/aafa62a373b9bec7b669ced88dd36304410206e8/app/extensions/brave/js/about.js, devServerPort is untrusted input, so it should be validated.
ex: any page can do window.open("chrome-extension://mnojpmjdmbbfmejpflffifhffcmidifd/about-flash.html?devServerPort=foo@test.com/")
doesn't directly cause an issue thanks to CSP, it seems
thanks to Tavis Ormandy for the report
The text was updated successfully, but these errors were encountered: