You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by "Jasvir Nagra (JIRA)" <ji...@apache.org> on 2009/02/03 23:19:59 UTC
[jira] Created: (SHINDIG-900) Malformed javascript causes the
CajaContentRewriter to append original javascript
Malformed javascript causes the CajaContentRewriter to append original javascript
---------------------------------------------------------------------------------
Key: SHINDIG-900
URL: https://issues.apache.org/jira/browse/SHINDIG-900
Project: Shindig
Issue Type: Bug
Components: Gadget Rendering Server (Java)
Reporter: Jasvir Nagra
The CajaContentRewriter does not remove original content from the gadget before running the cajoler. As a result, any exceptions in cajoler result in the original content passing through un-rewritten. This is a security critical error.
To reproduce:
1. Clean checkout, build and run shindig
2. Load a gadget that requires caja but has syntactically incorrect javascript - note the rendered output contains the original javascript.
<?xml version="1.0" encoding="UTF-8"?>
<Module>
<ModulePrefs title="Caja">
<Require feature="opensocial-0.7"></Require>
<Require feature="caja"></Require>
<Require feature="dynamic-height"></Require>
</ModulePrefs>
<Content type="html">
<![CDATA[
<script>
document.getElementById("attack").style.= ;
</script>
]]>
</Content>
</Module>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-900) Malformed javascript causes the
CajaContentRewriter to append original javascript
Posted by "Jasvir Nagra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jasvir Nagra updated SHINDIG-900:
---------------------------------
Attachment: secure-default.patch
Updated to enable the "use caja" flag in samplecontainer to actually work.
> Malformed javascript causes the CajaContentRewriter to append original javascript
> ---------------------------------------------------------------------------------
>
> Key: SHINDIG-900
> URL: https://issues.apache.org/jira/browse/SHINDIG-900
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (Java)
> Reporter: Jasvir Nagra
> Attachments: secure-default.patch
>
>
> The CajaContentRewriter does not remove original content from the gadget before running the cajoler. As a result, any exceptions in cajoler result in the original content passing through un-rewritten. This is a security critical error.
> To reproduce:
> 1. Clean checkout, build and run shindig
> 2. Load a gadget that requires caja but has syntactically incorrect javascript - note the rendered output contains the original javascript.
> <?xml version="1.0" encoding="UTF-8"?>
> <Module>
> <ModulePrefs title="Caja">
> <Require feature="opensocial-0.7"></Require>
> <Require feature="caja"></Require>
> <Require feature="dynamic-height"></Require>
> </ModulePrefs>
> <Content type="html">
> <![CDATA[
> <script>
> document.getElementById("attack").style.= ;
> </script>
> ]]>
> </Content>
> </Module>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (SHINDIG-900) Malformed javascript causes the
CajaContentRewriter to append original javascript
Posted by "Louis Ryan (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Louis Ryan closed SHINDIG-900.
------------------------------
Resolution: Fixed
Fix Version/s: trunk
Assignee: Louis Ryan
Patch applied with minor changes. Thanks
> Malformed javascript causes the CajaContentRewriter to append original javascript
> ---------------------------------------------------------------------------------
>
> Key: SHINDIG-900
> URL: https://issues.apache.org/jira/browse/SHINDIG-900
> Project: Shindig
> Issue Type: Bug
> Components: Java
> Reporter: Jasvir Nagra
> Assignee: Louis Ryan
> Fix For: trunk
>
> Attachments: secure-default.patch, secure-default.patch2
>
>
> The CajaContentRewriter does not remove original content from the gadget before running the cajoler. As a result, any exceptions in cajoler result in the original content passing through un-rewritten. This is a security critical error.
> To reproduce:
> 1. Clean checkout, build and run shindig
> 2. Load a gadget that requires caja but has syntactically incorrect javascript - note the rendered output contains the original javascript.
> <?xml version="1.0" encoding="UTF-8"?>
> <Module>
> <ModulePrefs title="Caja">
> <Require feature="opensocial-0.7"></Require>
> <Require feature="caja"></Require>
> <Require feature="dynamic-height"></Require>
> </ModulePrefs>
> <Content type="html">
> <![CDATA[
> <script>
> document.getElementById("attack").style.= ;
> </script>
> ]]>
> </Content>
> </Module>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-900) Malformed javascript causes the
CajaContentRewriter to append original javascript
Posted by "Jasvir Nagra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jasvir Nagra updated SHINDIG-900:
---------------------------------
Attachment: secure-default.patch
* Removes the content before cajoling so any subsequent failures never allows unsantized content to be sent to the browser
* Removes calls to "console" which does not exist in all browsers.
A subsequent patch will format cajoling errors to return to the user.
> Malformed javascript causes the CajaContentRewriter to append original javascript
> ---------------------------------------------------------------------------------
>
> Key: SHINDIG-900
> URL: https://issues.apache.org/jira/browse/SHINDIG-900
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (Java)
> Reporter: Jasvir Nagra
> Attachments: secure-default.patch
>
>
> The CajaContentRewriter does not remove original content from the gadget before running the cajoler. As a result, any exceptions in cajoler result in the original content passing through un-rewritten. This is a security critical error.
> To reproduce:
> 1. Clean checkout, build and run shindig
> 2. Load a gadget that requires caja but has syntactically incorrect javascript - note the rendered output contains the original javascript.
> <?xml version="1.0" encoding="UTF-8"?>
> <Module>
> <ModulePrefs title="Caja">
> <Require feature="opensocial-0.7"></Require>
> <Require feature="caja"></Require>
> <Require feature="dynamic-height"></Require>
> </ModulePrefs>
> <Content type="html">
> <![CDATA[
> <script>
> document.getElementById("attack").style.= ;
> </script>
> ]]>
> </Content>
> </Module>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-900) Malformed javascript causes the
CajaContentRewriter to append original javascript
Posted by "Jasvir Nagra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jasvir Nagra updated SHINDIG-900:
---------------------------------
Attachment: (was: secure-default.patch)
> Malformed javascript causes the CajaContentRewriter to append original javascript
> ---------------------------------------------------------------------------------
>
> Key: SHINDIG-900
> URL: https://issues.apache.org/jira/browse/SHINDIG-900
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (Java)
> Reporter: Jasvir Nagra
>
> The CajaContentRewriter does not remove original content from the gadget before running the cajoler. As a result, any exceptions in cajoler result in the original content passing through un-rewritten. This is a security critical error.
> To reproduce:
> 1. Clean checkout, build and run shindig
> 2. Load a gadget that requires caja but has syntactically incorrect javascript - note the rendered output contains the original javascript.
> <?xml version="1.0" encoding="UTF-8"?>
> <Module>
> <ModulePrefs title="Caja">
> <Require feature="opensocial-0.7"></Require>
> <Require feature="caja"></Require>
> <Require feature="dynamic-height"></Require>
> </ModulePrefs>
> <Content type="html">
> <![CDATA[
> <script>
> document.getElementById("attack").style.= ;
> </script>
> ]]>
> </Content>
> </Module>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (SHINDIG-900) Malformed javascript causes the
CajaContentRewriter to append original javascript
Posted by "Jasvir Nagra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-900?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12670632#action_12670632 ]
Jasvir Nagra commented on SHINDIG-900:
--------------------------------------
Also reviewable here: http://codereview.appspot.com/13051
> Malformed javascript causes the CajaContentRewriter to append original javascript
> ---------------------------------------------------------------------------------
>
> Key: SHINDIG-900
> URL: https://issues.apache.org/jira/browse/SHINDIG-900
> Project: Shindig
> Issue Type: Bug
> Components: Gadget Rendering Server (Java)
> Reporter: Jasvir Nagra
> Attachments: secure-default.patch
>
>
> The CajaContentRewriter does not remove original content from the gadget before running the cajoler. As a result, any exceptions in cajoler result in the original content passing through un-rewritten. This is a security critical error.
> To reproduce:
> 1. Clean checkout, build and run shindig
> 2. Load a gadget that requires caja but has syntactically incorrect javascript - note the rendered output contains the original javascript.
> <?xml version="1.0" encoding="UTF-8"?>
> <Module>
> <ModulePrefs title="Caja">
> <Require feature="opensocial-0.7"></Require>
> <Require feature="caja"></Require>
> <Require feature="dynamic-height"></Require>
> </ModulePrefs>
> <Content type="html">
> <![CDATA[
> <script>
> document.getElementById("attack").style.= ;
> </script>
> ]]>
> </Content>
> </Module>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Updated: (SHINDIG-900) Malformed javascript causes the
CajaContentRewriter to append original javascript
Posted by "Jasvir Nagra (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/SHINDIG-900?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jasvir Nagra updated SHINDIG-900:
---------------------------------
Attachment: secure-default.patch2
Updated patch:
* added tests for setContent.
* re-added caja end-to-end tests call (not sure why these were turned off)
* added support for static cajoling errors
> Malformed javascript causes the CajaContentRewriter to append original javascript
> ---------------------------------------------------------------------------------
>
> Key: SHINDIG-900
> URL: https://issues.apache.org/jira/browse/SHINDIG-900
> Project: Shindig
> Issue Type: Bug
> Components: Java
> Reporter: Jasvir Nagra
> Attachments: secure-default.patch, secure-default.patch2
>
>
> The CajaContentRewriter does not remove original content from the gadget before running the cajoler. As a result, any exceptions in cajoler result in the original content passing through un-rewritten. This is a security critical error.
> To reproduce:
> 1. Clean checkout, build and run shindig
> 2. Load a gadget that requires caja but has syntactically incorrect javascript - note the rendered output contains the original javascript.
> <?xml version="1.0" encoding="UTF-8"?>
> <Module>
> <ModulePrefs title="Caja">
> <Require feature="opensocial-0.7"></Require>
> <Require feature="caja"></Require>
> <Require feature="dynamic-height"></Require>
> </ModulePrefs>
> <Content type="html">
> <![CDATA[
> <script>
> document.getElementById("attack").style.= ;
> </script>
> ]]>
> </Content>
> </Module>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.