You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@mesos.apache.org by ha...@apache.org on 2017/01/23 05:40:59 UTC
mesos git commit: Fixed XSS vulnerability in pailer invocation.
Repository: mesos
Updated Branches:
refs/heads/master 9228ebc23 -> 9a80ab383
Fixed XSS vulnerability in pailer invocation.
Review: https://reviews.apache.org/r/55691/
Project: http://git-wip-us.apache.org/repos/asf/mesos/repo
Commit: http://git-wip-us.apache.org/repos/asf/mesos/commit/9a80ab38
Tree: http://git-wip-us.apache.org/repos/asf/mesos/tree/9a80ab38
Diff: http://git-wip-us.apache.org/repos/asf/mesos/diff/9a80ab38
Branch: refs/heads/master
Commit: 9a80ab383ef771848066974979d688823f2f51ee
Parents: 9228ebc
Author: Jacob Janco <jj...@gmail.com>
Authored: Mon Jan 23 12:26:52 2017 +0800
Committer: Haosdent Huang <ha...@apache.org>
Committed: Mon Jan 23 13:40:46 2017 +0800
----------------------------------------------------------------------
src/webui/master/static/js/controllers.js | 12 +++++++++++-
src/webui/master/static/pailer.html | 17 ++++++++++++++++-
2 files changed, 27 insertions(+), 2 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/mesos/blob/9a80ab38/src/webui/master/static/js/controllers.js
----------------------------------------------------------------------
diff --git a/src/webui/master/static/js/controllers.js b/src/webui/master/static/js/controllers.js
index 388ca24..b6364fa 100644
--- a/src/webui/master/static/js/controllers.js
+++ b/src/webui/master/static/js/controllers.js
@@ -15,8 +15,18 @@
// specified window_title.
function pailer(host, path, window_title) {
var url = '//' + host + '/files/read?path=' + path;
+
+ // The random id would be clean up once the pailer window loads the
+ // URL into its sessionStorage, so the possibility of collisions is
+ // acceptable here.
+ var storageKey = Math.random().toString(36).substr(2, 8);
+
+ // Store the target URL in localStorage which would be used by the
+ // pailer window later.
+ localStorage.setItem(storageKey, url);
+
var pailer =
- window.open('/static/pailer.html', url, 'width=580px, height=700px');
+ window.open('/static/pailer.html', storageKey, 'width=580px, height=700px');
// Need to use window.onload instead of document.ready to make
// sure the title doesn't get overwritten.
http://git-wip-us.apache.org/repos/asf/mesos/blob/9a80ab38/src/webui/master/static/pailer.html
----------------------------------------------------------------------
diff --git a/src/webui/master/static/pailer.html b/src/webui/master/static/pailer.html
index 19e0981..2f48d23 100644
--- a/src/webui/master/static/pailer.html
+++ b/src/webui/master/static/pailer.html
@@ -43,16 +43,31 @@
$(window).resize(resize);
+ // Set target URL in sessionStorage and clean it in localStorage.
+ (function() {
+ // Avoid fetching target URL again if the navigation comes from
+ // reloading.
+ if (sessionStorage.getItem('isReloaded') !== 'true') {
+ var storageKey = window.name;
+ sessionStorage.setItem(storageKey, localStorage.getItem(storageKey));
+ localStorage.removeItem(storageKey);
+
+ sessionStorage.setItem('isReloaded', 'true');
+ }
+ })();
+
$(document).ready(function() {
resize();
+ var storageKey = window.name;
+
$data.pailer({
read: function(options) {
var settings = $.extend({
'offset': -1,
'length': -1
}, options);
- var url = window.name
+ var url = sessionStorage.getItem(storageKey)
+ '&offset=' + settings.offset
+ '&length=' + settings.length
+ '&jsonp=?';