You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@shindig.apache.org by et...@apache.org on 2008/03/02 05:59:44 UTC

svn commit: r632712 - /incubator/shindig/trunk/features/rpc/rpc.js

Author: etnu
Date: Sat Mar  1 20:59:44 2008
New Revision: 632712

URL: http://svn.apache.org/viewvc?rev=632712&view=rev
Log:
Fix to avoid being able to bypass parent validation by passing more than 1 parent parameter or by passing parent in the query fragment instead of the query string. Ultimately we will probably need to move the parent regular expressions into the rpc validation as well so that postMessage calls will be able to be validated. This needs to be done before Firefox 3 goes GA. A simple solution may be to just skip parent validation on the server entirely and rely on it happening in js.


Modified:
    incubator/shindig/trunk/features/rpc/rpc.js

Modified: incubator/shindig/trunk/features/rpc/rpc.js
URL: http://svn.apache.org/viewvc/incubator/shindig/trunk/features/rpc/rpc.js?rev=632712&r1=632711&r2=632712&view=diff
==============================================================================
--- incubator/shindig/trunk/features/rpc/rpc.js (original)
+++ incubator/shindig/trunk/features/rpc/rpc.js Sat Mar  1 20:59:44 2008
@@ -38,7 +38,6 @@
   var callbacks = {};
 
   var params = gadgets.util.getUrlParameters();
-  var parentUrl = params.parent || '';
   authToken['..'] = params.rpctoken || params.ifpctok || 0;
 
   // Pick the most efficient RPC relay mechanism
@@ -158,7 +157,18 @@
       if (config.rpc.parentRelayUrl.substring(0, 7) === 'http://') {
         relayUrl['..'] = config.rpc.parentRelayUrl;
       } else {
-        relayUrl['..'] = parentUrl + config.rpc.parentRelayUrl;
+        // It's a relative path, and we must append to the parent.
+        // We're relying on the server validating the parent parameter in this
+        // case. Because of this, parent may only be passed in the query, not
+        // the fragment.
+        var params = document.location.search.substring(0).split("&");
+        for (var i = 0, param; param = params[i]; ++i) {
+          // Only the first parent can be validated.
+          if (param.indexOf("parent=") === 0) {
+            relayUrl['..'] = param.substring(7) + config.rpc.parentRelayUrl;
+            break;
+          }
+        }
       }
       useLegacyProtocol['..'] = !!config.rpc.useLegacyProtocol;
     }