Fixed issues reported by cure53.de

Fixed issues CLP-01-014 and CLP-01-015
author: Giulio Cesare Solaroli <giulio.cesare@clipperz.com> 2014-05-02 15:14:18 (UTC)
committer: Giulio Cesare Solaroli <giulio.cesare@clipperz.com> 2014-05-02 15:24:45 (UTC)
commit: ed6b4edc82b0f65c77980713cd525053fcbc1dd2 (patch) (unidiff)
tree: 80eb0e6ccfc4efa15c6488cc83448d8a865169df /frontend
parent: 03659f6b3d9766898854e8a769c0c9341b3de80c (diff)
download: clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.zip
clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.gz
clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.bz2
5 files changed, 47 insertions, 11 deletions
diff --git a/frontend/beta/js/Clipperz/Base.js b/frontend/beta/js/Clipperz/Base.js
index cf40314..1c6faa1 100644
--- a/frontend/beta/js/Clipperz/Base.js
+++ b/frontend/beta/js/Clipperz/Base.js
@@ -225,48 +225,76 @@ MochiKit.Base.update(Clipperz.Base, {
                return JSON2.parse(aString);
        },
        
        'serializeJSON': function(anObject) {
        //      return MochiKit.Base.serializeJSON(anObject);
                return JSON2.stringify(anObject);
        },
        //-------------------------------------------------------------------------
        'sanitizeString': function(aValue) {
                var result;
                
                if (Clipperz.Base.objectType(aValue) == 'string') {
                        result = aValue;
                        result = result.replace(/</img,"&lt;");
                        result = result.replace(/>/img,"&gt;");
                } else {
                        result = aValue;
                }
                
                return result;
        },
+        'javascriptInjectionPattern': new RegExp("javascript:\/\/\"", "g"),
+        
+        'sanitizeUrl': function(aValue) {
+                        varresult;
+                
+                if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) {
+                        result = aValue.replace(this.javascriptInjectionPattern, '');
+                        console.log("sanitized url", aValue, result);
+                } else {
+                        result = aValue;
+                }
+                return result;
+        },
+        'sanitizeFavicon': function(aValue) {
+                        varresult;
+                
+                if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) {
+                        result = aValue.replace(this.javascriptInjectionPattern, '');
+                        console.log("sanitized favicon", aValue, result);
+                } else {
+                        result = aValue;
+                }
+                return result;
+        },
        //-------------------------------------------------------------------------
        'exception': {
                        'AbstractMethod':       new MochiKit.Base.NamedError("Clipperz.Base.exception.AbstractMethod"),
                        'UnknownType':          new MochiKit.Base.NamedError("Clipperz.Base.exception.UnknownType"),
                        'VulnerabilityIssue':new MochiKit.Base.NamedError("Clipperz.Base.exception.VulnerabilityIssue") 
        },
        //-------------------------------------------------------------------------
        __syntaxFix__: "syntax fix"
 });
 MochiKit.Base.registerComparator('Object dummy comparator',
        function(a, b) {
                return ((a.constructor == Object) && (b.constructor == Object));
        },
        function(a, b) {
                var result;
                var aKeys;
                var bKeys;
                
diff --git a/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js b/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js
index 2295d3f..369b9ce 100644
--- a/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js
+++ b/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js
@@ -117,49 +117,49 @@ Clipperz.PM.BookmarkletProcessor.prototype = MochiKit.Base.update(null, {
        //-------------------------------------------------------------------------
        'editableFields': function() {
                if (this._editableFields == null) {
                        this._editableFields = MochiKit.Base.filter(function(aField) {
                                var result;
                                var type;
                
                                type = aField['type'].toLowerCase();
                                result = ((type != 'hidden') && (type != 'submit') && (type != 'checkbox') && (type != 'radio') && (type != 'select'));
                
                                return result;
                        }, this.fields())
                }
                
                return this._editableFields;
        },
        //-------------------------------------------------------------------------
        'hostname': function() {
                if (this._hostname == null) {
                        var actionUrl;
                        
-                        actionUrl = this.configuration()['form']['attributes']['action'];
+                        actionUrl = Clipperz.Base.sanitizeUrl(this.configuration()['form']['attributes']['action']);
 //MochiKit.Logging.logDebug("+++ actionUrl: " + actionUrl);
                        this._hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1');
                }
                
                return this._hostname;
        },
        
        'favicon': function() {
                if (this._favicon == null) {
                        this._favicon = "http://" + this.hostname() + "/favicon.ico";
 //MochiKit.Logging.logDebug("+++ favicon: " + this._favicon);
                }
                
                return this._favicon;
        },
        
        //-------------------------------------------------------------------------
        
        'record': function() {
                if (this._record == null) {
                        var record;
                        var recordVersion;
                        var directLogin;
                        var bindings;
diff --git a/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js b/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js
index 0e4640e..a5a4697 100644
--- a/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js
+++ b/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js
@@ -79,49 +79,49 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C
                ]});
 //MochiKit.Logging.logDebug("--- DirectLoginBindingComponent.render - 2");
                this.getElement('editModeBox').setVisibilityMode(YAHOO.ext.Element.DISPLAY);
                this.getElement('viewModeBox').setVisibilityMode(YAHOO.ext.Element.DISPLAY);
                this.update();
 //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.render");
        },
        //-------------------------------------------------------------------------
        'recordFieldOptions': function() {
                        varresult;
                var option;
                        varrecordFieldKey;
                        varrecordFields;
 //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.recordFieldOptions");
                recordFields = this.directLoginBinding().directLogin().record().currentVersion().fields();
                result = [];
                option = {tag:'option', value:null, html:'---'};
                result.push(option);
                for (recordFieldKey in recordFields) {
        //TODO: remove the value: field and replace it with element.dom.value = <some value>
-                        option = {tag:'option', value:recordFieldKey, html:recordFields[recordFieldKey].label()}
+                        option = {tag:'option', value:recordFieldKey, html:Clipperz.Base.sanitizeString(recordFields[recordFieldKey].label())}
                        if (recordFieldKey == this.directLoginBinding().fieldKey()) {
                                option['selected'] = true;
                        }
                        result.push(option);
                }
 //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.recordFieldOptions");
                
                return result;
        },
        //-------------------------------------------------------------------------
        'syncAndUpdateEditMode': function() {
                this.synchronizeComponentValues();
                this.updateEditMode();
        },
        
        'updateEditMode': function() {
                        varselectElementBox;
 //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.updateEditMode");
                this.getElement('viewModeBox').hide();
                selectElementBox = this.getElement('editModeBox');
@@ -129,41 +129,41 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C
                Clipperz.YUI.DomHelper.append(selectElementBox.dom, {tag:'select', id:this.getId('select'), children:this.recordFieldOptions()});
 /*
                selectElement = this.getElement('select');
                
                selectElement.update("");
                MochiKit.Iter.forEach(this.recordFieldOptions(), function(anOption) {
                        Clipperz.YUI.DomHelper.append(selectElement.dom, anOption);
                });
 */
                this.getElement('editModeBox').show();
 //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateEditMode");
        },
        
        //-------------------------------------------------------------------------
        'updateViewMode': function() {
 //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.updateViewMode");
                this.getElement('editModeBox').hide();
                this.getElement('viewModeBox').show();
-                this.getElement('viewValue').update(this.directLoginBinding().field().label());
+                this.getElement('viewValue').update(Clipperz.Base.sanitizeString(this.directLoginBinding().field().label()));
 //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateViewMode");
        },
        //-------------------------------------------------------------------------
        'synchronizeComponentValues': function() {
 //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.synchronizeComponentValues")
 //MochiKit.Logging.logDebug("--- DirectLoginBindingComponent.synchronizeComponentValues - 1 - " + this.getId('select'));
                this.directLoginBinding().setFieldKey(this.getDom('select').value);
 //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.synchronizeComponentValues");
        },
        //-------------------------------------------------------------------------
        __syntaxFix__: "syntax fix"
 });
diff --git a/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js b/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js
index c0cfa3c..56d9d59 100644
--- a/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js
+++ b/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js
@@ -17,49 +17,49 @@ refer to http://www.clipperz.com.
  See the GNU Affero General Public License for more details.
 * You should have received a copy of the GNU Affero General Public
  License along with Clipperz. If not, see http://www.gnu.org/licenses/.
 */
 if (typeof(Clipperz) == 'undefined') { Clipperz = {}; }
 if (typeof(Clipperz.PM) == 'undefined') { Clipperz.PM = {}; }
 if (typeof(Clipperz.PM.DataModel) == 'undefined') { Clipperz.PM.DataModel = {}; }
 //#############################################################################
 Clipperz.PM.DataModel.DirectLogin = function(args) {
 //MochiKit.Logging.logDebug(">>> new Clipperz.PM.DataModel.DirectLogin");
 //console.log(">>> new Clipperz.PM.DataModel.DirectLogin - args: %o", args);
 //console.log("--- formData: %s", Clipperz.Base.serializeJSON(args.formData));
        args = args || {};
 //MochiKit.Logging.logDebug("--- new Clipperz.PM.DataModel.DirectLogin - args: " + Clipperz.Base.serializeJSON(MochiKit.Base.keys(args)));
        this._record = args.record || null;
        this._label = args.label || "unnamed record"
        this._reference = args.reference || Clipperz.PM.Crypto.randomKey();
-        this._favicon = args.favicon || null;
+        this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null;
        this._bookmarkletVersion = args.bookmarkletVersion || "0.1";
        this._directLoginInputs = null;
        
        this._formValues = args.formValues || {};
        this.setFormData(args.formData || null);
 //console.log("=== formData: %o", this.formData());
        if (args.legacyBindingData == null) {
                this.setBindingData(args.bindingData || null);
        } else {
                this.setLegacyBindingData(args.legacyBindingData);
        }
        this._fixedFavicon = null;
        
        //this._formValues = args.formValues || (this.hasValuesToSet() ? {} : null);
 //MochiKit.Logging.logDebug("<<< new Clipperz.PM.DataModel.DirectLogin");
        
        return this;
 }
 Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
@@ -81,83 +81,91 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
        
        //-------------------------------------------------------------------------
        'reference': function() {
                return this._reference;
        },
        //-------------------------------------------------------------------------
        'label': function() {
                return this._label;
        },
        'setLabel': function(aValue) {
                this._label = aValue;
        },
        
        //-------------------------------------------------------------------------
        'favicon': function() {
                if (this._favicon == null) {
                                varactionUrl;
                        var hostname;
                        
-                        actionUrl = this.formData()['attributes']['action'];
+                        actionUrl = this.action();
                        hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1');
-                        this._favicon = "http://" + hostname + "/favicon.ico";
+                        this._favicon = Clipperz.Base.sanitizeFavicon("http://" + hostname + "/favicon.ico");
                }
                return this._favicon;
        },
        //-------------------------------------------------------------------------
        'fixedFavicon': function() {
                var result;
                
                if (this._fixedFavicon == null) {
                        result = this.favicon();
                        if (Clipperz_IEisBroken) {
                                if (this.user().preferences().disableUnsecureFaviconLoadingForIE()) {
                                        if (result.indexOf('https://') != 0) {
                                                result = Clipperz.PM.Strings['defaultFaviconUrl_IE'];
                                                this.setFixedFavicon(result);
                                        }
                                }
                        }
                } else {
                        result = this._fixedFavicon;
                }
                
                return result;
        },
        'setFixedFavicon': function(aValue) {
                this._fixedFavicon = aValue;
        },
        
+        'action': function () {
+                        varresult;
+                
+                result = Clipperz.Base.sanitizeUrl(this.formData()['attributes']['action']);
+                
+                return result;
+        },
+        
        //-------------------------------------------------------------------------
        'bookmarkletVersion': function() {
                return this._bookmarkletVersion;
        },
        
        'setBookmarkletVersion': function(aValue) {
                this._bookmarkletVersion = aValue;
        },
        
        //-------------------------------------------------------------------------
        'formData': function() {
                return this._formData;
        },
        'setFormData': function(aValue) {
                var formData;
                
 //MochiKit.Logging.logDebug(">>> DirectLogin.setFormData - " + Clipperz.Base.serializeJSON(aValue));
                switch (this.bookmarkletVersion()) {
                        case "0.2":
                                formData = aValue;
                                break;
@@ -421,96 +429,96 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
                                /(^https?\:\/\/)?(.*)/.test(url);
                                completeUrl = RegExp.$1 + username + ':' + password + '@' + RegExp.$2;
                        }
                        
                        MochiKit.DOM.currentWindow().location.href = completeUrl;
                }, this));
        },
        
        //-------------------------------------------------------------------------
        'runSubmitFormDirectLogin': function(aWindow) {
                MochiKit.DOM.withWindow(aWindow, MochiKit.Base.bind(function() {
                        var formElement;
                                varformSubmitFunction;
                        var submitButtons;
                        
 //MochiKit.Logging.logDebug("### runDirectLogin - 3");
        //              MochiKit.DOM.currentDocument().write('<html><head><title>' + this.label() + '</title><META http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body></body></html>')
 //MochiKit.Logging.logDebug("### runDirectLogin - 3.1");
                        MochiKit.DOM.appendChildNodes(MochiKit.DOM.currentDocument().body, MochiKit.DOM.H3(null, "Loading " + this.label() + " ..."));
 //MochiKit.Logging.logDebug("### runDirectLogin - 4");
 //console.log(this.formData()['attributes']);
                                formElement = MochiKit.DOM.FORM(MochiKit.Base.update({id:'directLoginForm'}, {'method':this.formData()['attributes']['method'],
-                                                                                                                                                                                        'action':this.formData()['attributes']['action']}));
+                                                                                                                                                                                        'action': this.action()}));
 //MochiKit.Logging.logDebug("### runDirectLogin - 5");
                        formSubmitFunction = MochiKit.Base.method(formElement, 'submit');
 //MochiKit.Logging.logDebug("### runDirectLogin - 6");
                        MochiKit.DOM.appendChildNodes(MochiKit.DOM.currentDocument().body,
                                MochiKit.DOM.DIV({style:'display:none; visibility:hidden;'}, formElement)
                        );
 //MochiKit.Logging.logDebug("### runDirectLogin - 7");
                                MochiKit.DOM.appendChildNodes(formElement, MochiKit.Base.map(MochiKit.Base.methodcaller("formConfiguration"),
                                                                                                                                                        this.directLoginInputs()));
 //MochiKit.Logging.logDebug("### runDirectLogin - 8");
                        submitButtons = MochiKit.Base.filter(function(anInputElement) {
 //MochiKit.Logging.logDebug("### runDirectLogin - 8.1 - " + anInputElement);
 //MochiKit.Logging.logDebug("### runDirectLogin - 8.2 - " + anInputElement.tagName);
 //MochiKit.Logging.logDebug("### runDirectLogin - 8.3 - " + anInputElement.getAttribute('type'));
                                return ((anInputElement.tagName.toLowerCase() == 'input') && (anInputElement.getAttribute('type').toLowerCase() == 'submit'));
                        }, formElement.elements)
 //MochiKit.Logging.logDebug("### runDirectLogin - 9");
                        if (submitButtons.length == 0) {
 //MochiKit.Logging.logDebug("### OLD submit")
                                if (Clipperz_IEisBroken == true) {
 //MochiKit.Logging.logDebug("### runDirectLogin - 10");
                                        formElement.submit();
                                } else {
 //MochiKit.Logging.logDebug("### runDirectLogin - 11");
                                        formSubmitFunction();
                                }
                        } else {
 //MochiKit.Logging.logDebug("### NEW submit")
                                submitButtons[0].click();
                        }
                }, this));
        },
        
        //-------------------------------------------------------------------------
        'runDirectLogin': function(aNewWindow) {
                        varnewWindow;
 //console.log("formData.attributes", this.formData()['attributes']);
        //      if (/^javascript/.test(this.formData()['attributes']['action'])) {
-                if ((/^(https?|webdav|ftp)\:/.test(this.formData()['attributes']['action']) == false) &&
+                if ((/^(https?|webdav|ftp)\:/.test(this.action()) == false) &&
-                        (this.formData()['attributes']['type'] != 'http_auth'))
+                        (this.formData()['attributes']['type'] != 'http_auth')
-                {
+                ) {
                        var messageBoxConfiguration;
                        if (typeof(aNewWindow) != 'undefined') {
                                aNewWindow.close();
                        }
                        messageBoxConfiguration = {};
                        messageBoxConfiguration.title = Clipperz.PM.Strings['VulnerabilityWarning_Panel_title'];
                        messageBoxConfiguration.msg = Clipperz.PM.Strings['VulnerabilityWarning_Panel_message'];
                        messageBoxConfiguration.animEl = YAHOO.ext.Element.get("mainDiv");
                        messageBoxConfiguration.progress = false;
                        messageBoxConfiguration.closable = false;
                        messageBoxConfiguration.buttons = {'cancel': Clipperz.PM.Strings['VulnerabilityWarning_Panel_buttonLabel']};
                        Clipperz.YUI.MessageBox.show(messageBoxConfiguration);
                        throw Clipperz.Base.exception.VulnerabilityIssue;
                }
 //MochiKit.Logging.logDebug("### runDirectLogin - 1 : " + Clipperz.Base.serializeJSON(this.serializedData()));
                if (typeof(aNewWindow) == 'undefined') {
                        newWindow = window.open(Clipperz.PM.Strings['directLoginJumpPageUrl'], "");
                } else {
                        newWindow = aNewWindow;
diff --git a/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js b/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js
index 236d7c9..ba302da 100644
--- a/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js
+++ b/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js
@@ -26,49 +26,49 @@ if (typeof(Clipperz.PM) == 'undefined') { Clipperz.PM = {}; }
 if (typeof(Clipperz.PM.DataModel) == 'undefined') { Clipperz.PM.DataModel = {}; }
 //#############################################################################
 Clipperz.PM.DataModel.DirectLoginReference = function(args) {
        args = args || {};
 //MochiKit.Logging.logDebug(">>> new DirectLoginReference: " + Clipperz.Base.serializeJSON(MochiKit.Base.keys(args)));
 //MochiKit.Logging.logDebug(">>> new DirectLoginReference - record: " + args.record);
        this._user = args.user;
        
        if (args.directLogin != null) {
                this._reference = args.directLogin.reference();
                this._recordReference = args.directLogin.record().reference();
                this._label = args.directLogin.label();
                this._favicon = args.directLogin.favicon() || null;
                this._directLogin = args.directLogin;
                this._record = args.directLogin.record();
        } else {
                this._reference = args.reference;
                this._recordReference = args.record;
                this._label = args.label;
-                this._favicon = args.favicon || null;
+                this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null;
        
                this._directLogin = null;
                this._record = null;
        }
        this._fixedFavicon = null;
        
        return this;
 }
 Clipperz.PM.DataModel.DirectLoginReference.prototype = MochiKit.Base.update(null, {
        'user': function() {
                return this._user;
        },
        
        //-------------------------------------------------------------------------
        'reference': function() {
                return this._reference;
        },
        //-------------------------------------------------------------------------
author	Giulio Cesare Solaroli <giulio.cesare@clipperz.com>	2014-05-02 15:14:18 (UTC)
committer	Giulio Cesare Solaroli <giulio.cesare@clipperz.com>	2014-05-02 15:24:45 (UTC)
commit	ed6b4edc82b0f65c77980713cd525053fcbc1dd2 (patch) (unidiff)
tree	80eb0e6ccfc4efa15c6488cc83448d8a865169df /frontend
parent	03659f6b3d9766898854e8a769c0c9341b3de80c (diff)
download	clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.zip clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.gz clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.bz2