You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@deltaspike.apache.org by Ortwin Escher <or...@iav.de> on 2015/07/17 16:01:51 UTC
Unsafe handling of cookie content
Hello,
The WindowIdHtmlRenderer writes the cookie content of the dsrwid cookie
directly into the page body when using the <ds:windowId/> tag. You might
want to escape the content, do a sanity check or at least do the same
shortening the windowId request parameter has.
A small example: Having a cookie like "dsrwid--9414" with the content
"-9414'+alert('HelloWorld')+'" will open a HelloWorld alert when the
window id is "-9414".
Kind regards
Ortwin Escher
Fachreferent, Fahrzeug IT, VC-M1
IAV GmbH
Rockwellstrasse 16
38518 GIFHORN
GERMANY
Internet: http://www.iav.com
Sitz/Registered Office: Berlin,
Registergericht/Registration Court: Amtsgericht Charlottenburg,
Registernummer/Company Registration Number: HRB 21 280,
Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael Schubert,
Olaf Kupke
Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dr.
Harald Ludanek
Re: Unsafe handling of cookie content
Posted by Gerhard Petracek <ge...@gmail.com>.
DELTASPIKE-960 is fixed now.
regards,
gerhard
2015-07-17 16:39 GMT+02:00 Thomas Andraschko <an...@gmail.com>:
> Yep. Gerhard, can you add the substring logik to the
> initialredirectwindowid, too? Im away till next week.
>
>
> Am Freitag, 17. Juli 2015 schrieb Gerhard Petracek :
>
>> hi ortwin,
>>
>> thx for reporting the issue!
>> (fyi: please send such topics to the dev-list)
>>
>> @thomas:
>> we need to use maxWindowIdCount there as well.
>>
>> regards,
>> gerhard
>>
>>
>>
>> 2015-07-17 16:01 GMT+02:00 Ortwin Escher <or...@iav.de>:
>>
>>> Hello,
>>>
>>> The WindowIdHtmlRenderer writes the cookie content of the dsrwid cookie
>>> directly into the page body when using the <ds:windowId/> tag. You might
>>> want to escape the content, do a sanity check or at least do the same
>>> shortening the windowId request parameter has.
>>>
>>> A small example: Having a cookie like "dsrwid--9414" with the content
>>> "-9414'+alert('HelloWorld')+'" will open a HelloWorld alert when the
>>> window id is "-9414".
>>>
>>> Kind regards
>>>
>>> Ortwin Escher
>>>
>>> Fachreferent, Fahrzeug IT, VC-M1
>>>
>>> IAV GmbH
>>> Rockwellstrasse 16
>>> 38518 GIFHORN
>>> GERMANY
>>>
>>> Internet: http://www.iav.com
>>>
>>> Sitz/Registered Office: Berlin,
>>> Registergericht/Registration Court: Amtsgericht Charlottenburg,
>>> Registernummer/Company Registration Number: HRB 21 280,
>>> Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael Schubert,
>>> Olaf Kupke
>>> Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dr.
>>> Harald Ludanek
>>
>>
>>
Re: Unsafe handling of cookie content
Posted by Gerhard Petracek <ge...@gmail.com>.
hi ortwin,
thx for reporting the issue!
(fyi: please send such topics to the dev-list)
@thomas:
we need to use maxWindowIdCount there as well.
regards,
gerhard
2015-07-17 16:01 GMT+02:00 Ortwin Escher <or...@iav.de>:
> Hello,
>
> The WindowIdHtmlRenderer writes the cookie content of the dsrwid cookie
> directly into the page body when using the <ds:windowId/> tag. You might
> want to escape the content, do a sanity check or at least do the same
> shortening the windowId request parameter has.
>
> A small example: Having a cookie like "dsrwid--9414" with the content
> "-9414'+alert('HelloWorld')+'" will open a HelloWorld alert when the
> window id is "-9414".
>
> Kind regards
>
> Ortwin Escher
>
> Fachreferent, Fahrzeug IT, VC-M1
>
> IAV GmbH
> Rockwellstrasse 16
> 38518 GIFHORN
> GERMANY
>
> Internet: http://www.iav.com
>
> Sitz/Registered Office: Berlin,
> Registergericht/Registration Court: Amtsgericht Charlottenburg,
> Registernummer/Company Registration Number: HRB 21 280,
> Geschäftsführer/Managing Directors: Kurt Blumenröder, Michael Schubert,
> Olaf Kupke
> Vorsitzender des Aufsichtsrates/Chairman of the Supervisory Board: Dr.
> Harald Ludanek