Project

General

Profile

bug #6038

[Redmine] NoScript detects CrossSiteScritping for Redmine

Added by Patrick Plitzner over 3 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
New
Category:
devOps
Target version:
-
Start date:
08/11/2016
Due date:
% Done:

0%

Severity:
normal
Found in Version:
Tags:

Description

I experienced this warning directly after logging in and when using one of my bookmarks which shows all my open issues http://dev.e-taxonomy.eu/redmine/projects/edit/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=%3D&v%5Bstatus_id%5D%5B%5D=2&v%5Bstatus_id%5D%5B%5D=1&v%5Bstatus_id%5D%5B%5D=4&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=me&f%5B%5D=&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=priority&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=

(btw. clicking on this link works for me. But copy&paste into the address bar does not)

Directly searching for issues works but the link is blocked and I am redirected to the main page

browser console output:

[NoScript InjectionChecker] JavaScript Injection in coalesced:///redmine/projects/edit/issuesutf8=â??&set_filter=1&f[]=status_id, assigned_to_id, &op[status_id]==&v[status_id][]=2, 1, 4&op[assigned_to_id]==&v[assigned_to_id][]=me&c[]=tracker, status, priority, subject, assigned_to, updated_on&group_by=&t[]=
(function anonymous() {
2, 1, 4&op[assigned_to_id]== /* COMMENT_TERMINATOR */
DUMMY_EXPR
})
[NoScript XSS] Eine verdächtige Anfrage wurde bereinigt. Original-URL [http://dev.e-taxonomy.eu/redmine/projects/edit/issues?utf8=%E2%9C%93&set_filter=1&f%5B%5D=status_id&op%5Bstatus_id%5D=%3D&v%5Bstatus_id%5D%5B%5D=2&v%5Bstatus_id%5D%5B%5D=1&v%5Bstatus_id%5D%5B%5D=4&f%5B%5D=assigned_to_id&op%5Bassigned_to_id%5D=%3D&v%5Bassigned_to_id%5D%5B%5D=me&f%5B%5D=&c%5B%5D=tracker&c%5B%5D=status&c%5B%5D=priority&c%5B%5D=subject&c%5B%5D=assigned_to&c%5B%5D=updated_on&group_by=&t%5B%5D=] angefordert von [chrome://browser/content/browser.xul]. Bereinigte URL: [http://dev.e-taxonomy.eu/#7388068497079853872].
mutating the [[Prototype]] of an object will cause your code to run very slowly; instead create the object with the correct initial [[Prototype]] value using Object.create panel.js:5816:3
Synchrone XMLHttpRequests am Haupt-Thread sollte nicht mehr verwendet werden, weil es nachteilige Effekte für das Erlebnis der Endbenutzer hat. Für weitere Hilfe siehe http://xhr.spec.whatwg.org/ panel.js:3525:3
nicht wohlgeformt messages.json:1:1

History

#1 Updated by Andreas Kohlbecker over 3 years ago

  • Status changed from New to Feedback
  • Assignee changed from Andreas Kohlbecker to Patrick Plitzner

I think that this is a false positive xxs detection of NoScript.

Patric, please can you further investigate this issue, if you think that this is really a security problem with redmine or with our redmine setup.
Otherwise I suggest to close this ticket as Rejected.

#2 Updated by Patrick Plitzner about 3 years ago

  • Status changed from Feedback to Rejected
  • Target version deleted (Unassigned CDM tickets)

After playing around a little it seems like it the copied link only works if opened from within a Redmine issue. If copied to clipboard and pasted into the address bar or copied to a text file and opened from there or added to the bookmarks it does not work. I don't want to investigate any further but it seems like this is coherent with the origin policy for xss. Closing as rejected.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 40 MB)