You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flex.apache.org by "Aron Nopanen (JIRA)" <ji...@apache.org> on 2016/08/26 19:37:20 UTC

[jira] [Updated] (FLEX-35123) DOM XSS vulnerability in history.js

     [ https://issues.apache.org/jira/browse/FLEX-35123?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Aron Nopanen updated FLEX-35123:
--------------------------------
    Attachment: 0001-Address-DOM-XSS-vulnerability.patch

> DOM XSS vulnerability in history.js
> -----------------------------------
>
>                 Key: FLEX-35123
>                 URL: https://issues.apache.org/jira/browse/FLEX-35123
>             Project: Apache Flex
>          Issue Type: Bug
>            Reporter: Aron Nopanen
>         Attachments: 0001-Address-DOM-XSS-vulnerability.patch
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> Template file history.js contains a DOM XSS vulnerability. While it looks like it would be difficult to exploit, it should be addressed.
> The code in question is in a block specific to ancient versions of Safari (<= 2.0.4), so I propose that block could safely be removed entirely.
> The vulnerable line is:
> getFormElement().innerHTML = '<form name="historyForm" action="'+file+'#' + flexAppUrl + '" method="GET"></form>';
> The variables 'file' and 'flexAppUrl' are being passed unescaped into HTML subcontext.
> I'm attaching a patch that would remove the Safari-specific handling, including the vulnerable line.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Re: [jira] [Updated] (FLEX-35123) DOM XSS vulnerability in history.js

Posted by Alex Harui <ah...@adobe.com>.

On 8/26/16, 5:10 PM, "Justin Mclean" <ju...@classsoftware.com> wrote:

>Hi,
>
>Given this is public (but IMO not serious) should we fix it and make a
>point release of the Flex SDK?
>
>Simplest option IMO would be apply the patch to the 4.15 release branch
>and make a 4.15.1 release, rather than make a full release from the
>develop branch. That being said the last release was 6 months ago.

If I understand correctly, this is almost theoretical:  someone would have
to be using Safari <= 2.0.4.

If that's true, IMO, there is no need to rush.  Accept the patch.  Start
the security fix process.  If someone needs it, they can get it from the
repo.
But you are right that it has been 6 months.  Time to discuss another
release.  But we should get FlexJS 0.7.0 out the door first.  Maybe a
BlazeDS update as well.

-Alex

Re: [jira] [Updated] (FLEX-35123) DOM XSS vulnerability in history.js

Posted by Justin Mclean <ju...@classsoftware.com>.

Hi,

Given this is public (but IMO not serious) should we fix it and make a point release of the Flex SDK?

Simplest option IMO would be apply the patch to the 4.15 release branch and make a 4.15.1 release, rather than make a full release from the develop branch. That being said the last release was 6 months ago.

Thanks,
Justin