You are viewing a plain text version of this content. The canonical link for it is here.
Posted to jetspeed-dev@portals.apache.org by Santiago Gala <sg...@hisitech.com> on 2002/02/28 19:59:27 UTC
Re: Syndication of javascript: urls as a security window?
Kevin A. Burton wrote:
>
> ------------------------------------------------------------------------
>
> Subject:
>
> Syndication of javascript: urls as a security window?
> From:
>
> burton@openprivacy.org (Kevin A. Burton)
> Date:
>
> 27 Feb 2002 15:10:01 -0800
> To:
>
> syndication@yahoogroups.com
>
>
>- -----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>OK...
>
>I don't think a lot of people are checking for this.
>
>If someone were to create an RSS item of
>
><item>
>
> <title>something shocking has happened</title>
> <link>javascript:somethingBad()</title>
>
></item>
>
>This somethingBad() could be a one line Javascript to get cookes and to create a
>URL with this info an post to a site.
>
>We should document this somewhere and incourage aggregators to remote
>javascript: urls.
>
>Thoughts?
>
It does not look really awful for Jetspeed as a whole, as we usually get
RSS channels from OCS feeds, which means that we have some kind of
quality assurance from third parties. But I agree that we should prevent
this happening.
We should check that dangerous protocols are removed from the channel
when we create the portlet. Better than this, we should have a list of
"innocent" protocols to allow in <links>, like http or ftp and refuse to
take any URI that does not begin with one of those protocols.
This could be done in the NewRSSPortlet.init() and
JetspeedContentPortlet.init() , at least. Other places?
Thanks for relaying the info, Kevin
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Syndication of javascript: urls as a security window?
Posted by "Kevin A. Burton" <bu...@openprivacy.org>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Santiago Gala <sg...@hisitech.com> writes:
<snip/>
> It does not look really awful for Jetspeed as a whole, as we usually get RSS
> channels from OCS feeds, which means that we have some kind of quality
> assurance from third parties. But I agree that we should prevent this
> happening.
Well... most secure systems don't rely on "quality assurance form third
parties" :)
It is a pretty trivial fix. Just do a
if ( url.startsWith( "javascript:" ) ) {
//return or throw an exception.
}
> We should check that dangerous protocols are removed from the channel when we
> create the portlet. Better than this, we should have a list of "innocent"
> protocols to allow in <links>, like http or ftp and refuse to take any URI
> that does not begin with one of those protocols.
Yes... but a lot of more modern systems which are perfectly safe might not
work. AKA mojo ids, JXTA urns, etc.
Reptile is probably just going to remove support for javascript:
I don't think there is a vbscript: URI notation for IE. (this javascript URL
is a bad idea)
> This could be done in the NewRSSPortlet.init() and
> JetspeedContentPortlet.init() , at least. Other places?
>
> Thanks for relaying the info, Kevin
No problem.
Kevin
- --
Kevin A. Burton ( burton@apache.org, burton@openprivacy.org, burtonator@acm.org )
Location - San Francisco, CA, Cell - 415.595.9965
Jabber - burtonator@jabber.org, Web - http://relativity.yi.org/
...the biggest breakthrough in biotechnology since the breakthrough it fixes.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Get my public key at: http://relativity.yi.org/pgpkey.txt
iD8DBQE8gDjHAwM6xb2dfE0RAsmyAKCUicjTPFNL7Yx5SqnFuITC7X56+wCguik3
yN+APVcj03L3TuqoXCeIx8s=
=xJNM
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>