-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
It seems like it may be possible to steal a user's cookies if you can get them to create a release using a specially-crafted https://musicbrainz.org/release/add POST request. This requires them to click through the interstitial warning screen that MB displays for POST requests, but I assume that most users do that when seeding edits without carefully reading each parameter.
The issue appears to exist due to this code in root/static/scripts/release-editor/edits.js (which I think that Jira may butcher, unfortunately):
function chainEditSubmissions(release, submissions) {
// ...
function nextSubmission(index) {
var current = submissions[index++];
if (!current) {
// We're done!
// Don't ask for confirmation before redirecting.
root.redirecting = true;
if (releaseEditor.redirectURI) {
var a = document.createElement('a');
a.href = releaseEditor.redirectURI;
a.search += /^?/.test(a.search) ? '&' : '?';
a.search += 'release_mbid=' + release.gid();
}}{{window.location.href = a.href;
} else {
window.location.pathname = '/release/' + release.gid();
{{ }}}
return;
{{ }}}
JavaScript code can be injected on either side of the "release_mbid=..." string by setting the "redirect_uri" parameter to a value starting with "javascript:". The right-hand side of the code can be passed via the hash portion of the URL.
For example, setting "redirect_uri" to the following logs the user's cookies to the console:
javascript:foo="#";console.log(document.cookie);
"?release_mbid=..." (without the quotes) gets inserted just before the '#' in this code.
I actually find this behavior useful since I'm trying to make my seeder redirect to /add-cover-art after adding a release. This isn't easy to do otherwise, since redirect_uri adds a "release_mbid" query parameter, but the add-cover-art endpoint needs the release's MBID to be included in the path.
To handle this, I found that I can pass a redirect_uri value like the following (split over multiple lines here for readability):
javascript:mbid="#".slice(14,-1);
window.location="https://musicbrainz.org/release/"mbid"/add-cover-art"
So this is useful for me (since otherwise I'd probably need to create a tiny HTTP handler that accepts "?release_mbid" URLs and redirects to /add-cover-art), but I figured I should file a bug in case this behavior wasn't intentional. It may not be a big deal, since most seeding probably happens via userscripts that may already be able to do whatever they want.