[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #23574 [Internal Services/Tor Sysadmin Team]: Don't allow text injection in our 404 page

To: undisclosed-recipients: ;
Subject: Re: [tor-bugs] #23574 [Internal Services/Tor Sysadmin Team]: Don't allow text injection in our 404 page
From: "Tor Bug Tracker & Wiki" <blackhole@xxxxxxxxxxxxxx>
Date: Tue, 19 Sep 2017 09:40:31 -0000
Auto-submitted: auto-generated
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 19 Sep 2017 05:40:43 -0400
In-reply-to: <042.23684c498f75651e79e5cb00fc677bb9@torproject.org>
List-archive: <http://lists.torproject.org/pipermail/tor-bugs/>
List-help: <mailto:tor-bugs-request@lists.torproject.org?subject=help>
List-id: "auto: Tor bug tracker status mails" <tor-bugs.lists.torproject.org>
List-post: <mailto:tor-bugs@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-bugs>, <mailto:tor-bugs-request@lists.torproject.org?subject=unsubscribe>
References: <042.23684c498f75651e79e5cb00fc677bb9@torproject.org>
Reply-to: no-reply@xxxxxxxxxxxxxx, tor-assistants@xxxxxxxxxxxxxx
Sender: "tor-bugs" <tor-bugs-bounces@xxxxxxxxxxxxxxxxxxxx>

#23574: Don't allow text injection in our 404 page
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tpa
     Type:  defect                               |         Status:  closed
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:  invalid
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by hiro):

 I think the importat point is that no code can be executed.

 You can test by passing javascript to the url and it doesn't do anything.
 Although, if we really care we can have the message in the 404 page just
 to say "The URL you typed was not found" or something along those lines,
 without having to repeat the URL.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23574#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs

References:
- [tor-bugs] #23574 [Internal Services/Tor Sysadmin Team]: Don't allow text injection in our 404 page
  - From: Tor Bug Tracker & Wiki

Prev by Author: Re: [tor-bugs] #23603 [Core Tor/Tor]: hs: Cleanup race between circuit close and free with the HS circuitmap
Next by Author: Re: [tor-bugs] #23243 [Metrics/Metrics website]: write a spec for web-server-access log descriptors
Previous by thread: Re: [tor-bugs] #23574 [Internal Services/Tor Sysadmin Team]: Don't allow text injection in our 404 page
Next by thread: Re: [tor-bugs] #23574 [Internal Services/Tor Sysadmin Team]: Don't allow text injection in our 404 page
Index(es):
- Author
- Thread