Security/Reviews/Gaia/Contacts: Difference between revisions

Jump to navigation Jump to search

Security/Reviews/Gaia/Contacts (view source)

Revision as of 23:05, 4 March 2013

35 bytes removed ,  4 March 2013
→‎new
Line 66: Line 66:
       "returnValue": true
       "returnValue": true
     },
     },
TODO The activity handler copies all parameters from activity.source.params to the request params. Is it possible to cause anything bad there? It seems to pass an 'id' and 'extras' parameter.


The actual contact editor is shown at https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/contacts/js/contacts.js#L68
The actual contact editor is shown at https://github.com/mozilla-b2g/gaia/blob/v1-train/apps/communications/contacts/js/contacts.js#L68


If an id was passed as a request param then addExtrasToContact is called to process the extras param which is a JSON encoded object. The fields of the extras object are added to the existing contact.
ISSUE: The activity handler copies all parameters from activity.source.params to the request params. Is it possible to cause anything bad there? It seems to pass an 'id' and 'extras' parameter. If an id was passed as a request param then addExtrasToContact is called to process the extras param which is a JSON encoded object. The fields of the extras object are added to the existing contact.
 
TODO: It seems that it is possible to add any kind of field to a contact? What kind of side effects can this have?


TODO: How to obtain contact ids? Are they easily guessable?
* {{bug|847650}} Contacts' "new" activity is also "edit" in disguise
* {{bug|847649}} Contacts' "new" activity does not validate parameters


===== pick =====
===== pick =====
St3fan
Confirmed users
971

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/535712"

Navigation menu