New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 614133 link

Starred by 2 users
Status: WontFix
Owner: ----
Closed: Aug 2017
Cc:
dsansome@chromium.org
friedman@chromium.org
andyb...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug

Blocked on:
issue 600469


Sign in to add a comment

Rietveld generates emails containing arbitrary user-controlled links

Project Member Reported by aga...@chromium.org, May 23 2016 
What steps will reproduce the problem?
(1) Buy a domain
(2) Set your DNS to point at Rietveld
(3) Using your custom domain, view/edit an issue

What is the expected output?
(4) The generated email will link users to the issue

What do you see instead?
(4) The generated email will link users to *the URL you were using to view the issue*. Which means that I, as the attacker, could then change my DNS entry to point wherever I want and hijack users who are clicking the link in the email.


Proposed resolution:
Only ever generate issue urls in a certain whitelist (the actual appspot domain, internal domains, and codereview.chromium.org).

Comment 1 by andyb...@chromium.org, Aug 11 2016

Blockedon: 600469
Status: Available (was: Untriaged)

Comment 2 by andyb...@chromium.org, Aug 4 2017

Status: WontFix (was: Available)
Closing in bulk due to Rietveld’s deprecation in favor of Gerrit. If you feel this bug should not have been closed, please feel free to re-open.

Sign in to add a comment