[tor-bugs] #23574 [Internal Services/Tor Sysadmin Team]: Don't allow text injection in our 404 page

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Sep 19 09:40:31 UTC 2017


#23574: Don't allow text injection in our 404 page
-------------------------------------------------+-------------------------
 Reporter:  gk                                   |          Owner:  tpa
     Type:  defect                               |         Status:  closed
 Priority:  Medium                               |      Milestone:
Component:  Internal Services/Tor Sysadmin Team  |        Version:
 Severity:  Normal                               |     Resolution:  invalid
 Keywords:                                       |  Actual Points:
Parent ID:                                       |         Points:
 Reviewer:                                       |        Sponsor:
-------------------------------------------------+-------------------------

Comment (by hiro):

 I think the importat point is that no code can be executed.

 You can test by passing javascript to the url and it doesn't do anything.
 Although, if we really care we can have the message in the 404 page just
 to say "The URL you typed was not found" or something along those lines,
 without having to repeat the URL.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/23574#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list