| author | Giulio Cesare Solaroli <giulio.cesare@clipperz.com> | 2014-05-02 15:14:18 (UTC) |
|---|---|---|
| committer | Giulio Cesare Solaroli <giulio.cesare@clipperz.com> | 2014-05-02 15:24:45 (UTC) |
| commit | ed6b4edc82b0f65c77980713cd525053fcbc1dd2 (patch) (side-by-side diff) | |
| tree | 80eb0e6ccfc4efa15c6488cc83448d8a865169df | |
| parent | 03659f6b3d9766898854e8a769c0c9341b3de80c (diff) | |
| download | clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.zip clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.gz clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.bz2 | |
Fixed issues reported by cure53.de
Fixed issues CLP-01-014 and CLP-01-015
5 files changed, 47 insertions, 11 deletions
diff --git a/frontend/beta/js/Clipperz/Base.js b/frontend/beta/js/Clipperz/Base.js index cf40314..1c6faa1 100644 --- a/frontend/beta/js/Clipperz/Base.js +++ b/frontend/beta/js/Clipperz/Base.js @@ -217,64 +217,92 @@ MochiKit.Base.update(Clipperz.Base, { } result = MochiKit.Base.evalJSON(aString); return result; */ // return MochiKit.Base.evalJSON(aString); return JSON2.parse(aString); }, 'serializeJSON': function(anObject) { // return MochiKit.Base.serializeJSON(anObject); return JSON2.stringify(anObject); }, //------------------------------------------------------------------------- 'sanitizeString': function(aValue) { var result; if (Clipperz.Base.objectType(aValue) == 'string') { result = aValue; result = result.replace(/</img,"<"); result = result.replace(/>/img,">"); } else { result = aValue; } return result; }, + 'javascriptInjectionPattern': new RegExp("javascript:\/\/\"", "g"), + + 'sanitizeUrl': function(aValue) { + var result; + + if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) { + result = aValue.replace(this.javascriptInjectionPattern, ''); + console.log("sanitized url", aValue, result); + } else { + result = aValue; + } + + return result; + }, + + 'sanitizeFavicon': function(aValue) { + var result; + + if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) { + result = aValue.replace(this.javascriptInjectionPattern, ''); + console.log("sanitized favicon", aValue, result); + } else { + result = aValue; + } + + return result; + }, + //------------------------------------------------------------------------- 'exception': { 'AbstractMethod': new MochiKit.Base.NamedError("Clipperz.Base.exception.AbstractMethod"), 'UnknownType': new MochiKit.Base.NamedError("Clipperz.Base.exception.UnknownType"), 'VulnerabilityIssue': new MochiKit.Base.NamedError("Clipperz.Base.exception.VulnerabilityIssue") }, //------------------------------------------------------------------------- __syntaxFix__: "syntax fix" }); MochiKit.Base.registerComparator('Object dummy comparator', function(a, b) { return ((a.constructor == Object) && (b.constructor == Object)); }, function(a, b) { var result; var aKeys; var bKeys; //MochiKit.Logging.logDebug(">>> comparator"); //MochiKit.Logging.logDebug("- a: " + Clipperz.Base.serializeJSON(a)); //MochiKit.Logging.logDebug("- b: " + Clipperz.Base.serializeJSON(a)); aKeys = MochiKit.Base.keys(a).sort(); bKeys = MochiKit.Base.keys(b).sort(); result = MochiKit.Base.compare(aKeys, bKeys); //if (result != 0) { diff --git a/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js b/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js index 2295d3f..369b9ce 100644 --- a/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js +++ b/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js @@ -109,65 +109,65 @@ Clipperz.PM.BookmarkletProcessor.prototype = MochiKit.Base.update(null, { }, //------------------------------------------------------------------------- 'fields': function() { return this.configuration().form.inputs; }, //------------------------------------------------------------------------- 'editableFields': function() { if (this._editableFields == null) { this._editableFields = MochiKit.Base.filter(function(aField) { var result; var type; type = aField['type'].toLowerCase(); result = ((type != 'hidden') && (type != 'submit') && (type != 'checkbox') && (type != 'radio') && (type != 'select')); return result; }, this.fields()) } return this._editableFields; }, //------------------------------------------------------------------------- 'hostname': function() { if (this._hostname == null) { var actionUrl; - actionUrl = this.configuration()['form']['attributes']['action']; + actionUrl = Clipperz.Base.sanitizeUrl(this.configuration()['form']['attributes']['action']); //MochiKit.Logging.logDebug("+++ actionUrl: " + actionUrl); this._hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1'); } return this._hostname; }, 'favicon': function() { if (this._favicon == null) { this._favicon = "http://" + this.hostname() + "/favicon.ico"; //MochiKit.Logging.logDebug("+++ favicon: " + this._favicon); } return this._favicon; }, //------------------------------------------------------------------------- 'record': function() { if (this._record == null) { var record; var recordVersion; var directLogin; var bindings; var i,c; record = new Clipperz.PM.DataModel.Record({ label:this.recordTitle(), notes:"", user:this.user() }); recordVersion = new Clipperz.PM.DataModel.RecordVersion(record, {}) diff --git a/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js b/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js index 0e4640e..a5a4697 100644 --- a/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js +++ b/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js @@ -71,99 +71,99 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C //MochiKit.Logging.logDebug("--- DirectLoginBindingComponent.render - 1"); Clipperz.YUI.DomHelper.append(this.element().dom, {tag:'td', cls:'directLoginBindingValueTD', children:[ {tag:'div', id:this.getId('editModeBox'), children:[ {tag:'select', id:this.getId('select'), children:this.recordFieldOptions()} ]}, {tag:'div', id:this.getId('viewModeBox'), children:[ {tag:'span', id:this.getId('viewValue'), html:""} ]} ]}); //MochiKit.Logging.logDebug("--- DirectLoginBindingComponent.render - 2"); this.getElement('editModeBox').setVisibilityMode(YAHOO.ext.Element.DISPLAY); this.getElement('viewModeBox').setVisibilityMode(YAHOO.ext.Element.DISPLAY); this.update(); //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.render"); }, //------------------------------------------------------------------------- 'recordFieldOptions': function() { var result; var option; var recordFieldKey; var recordFields; //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.recordFieldOptions"); recordFields = this.directLoginBinding().directLogin().record().currentVersion().fields(); result = []; option = {tag:'option', value:null, html:'---'}; result.push(option); for (recordFieldKey in recordFields) { // TODO: remove the value: field and replace it with element.dom.value = <some value> - option = {tag:'option', value:recordFieldKey, html:recordFields[recordFieldKey].label()} + option = {tag:'option', value:recordFieldKey, html:Clipperz.Base.sanitizeString(recordFields[recordFieldKey].label())} if (recordFieldKey == this.directLoginBinding().fieldKey()) { option['selected'] = true; } result.push(option); } //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.recordFieldOptions"); return result; }, //------------------------------------------------------------------------- 'syncAndUpdateEditMode': function() { this.synchronizeComponentValues(); this.updateEditMode(); }, 'updateEditMode': function() { var selectElementBox; //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.updateEditMode"); this.getElement('viewModeBox').hide(); selectElementBox = this.getElement('editModeBox'); selectElementBox.update(""); Clipperz.YUI.DomHelper.append(selectElementBox.dom, {tag:'select', id:this.getId('select'), children:this.recordFieldOptions()}); /* selectElement = this.getElement('select'); selectElement.update(""); MochiKit.Iter.forEach(this.recordFieldOptions(), function(anOption) { Clipperz.YUI.DomHelper.append(selectElement.dom, anOption); }); */ this.getElement('editModeBox').show(); //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateEditMode"); }, //------------------------------------------------------------------------- 'updateViewMode': function() { //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.updateViewMode"); this.getElement('editModeBox').hide(); this.getElement('viewModeBox').show(); - this.getElement('viewValue').update(this.directLoginBinding().field().label()); + this.getElement('viewValue').update(Clipperz.Base.sanitizeString(this.directLoginBinding().field().label())); //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateViewMode"); }, //------------------------------------------------------------------------- 'synchronizeComponentValues': function() { //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.synchronizeComponentValues") //MochiKit.Logging.logDebug("--- DirectLoginBindingComponent.synchronizeComponentValues - 1 - " + this.getId('select')); this.directLoginBinding().setFieldKey(this.getDom('select').value); //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.synchronizeComponentValues"); }, //------------------------------------------------------------------------- __syntaxFix__: "syntax fix" }); diff --git a/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js b/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js index c0cfa3c..56d9d59 100644 --- a/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js +++ b/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js @@ -9,163 +9,171 @@ refer to http://www.clipperz.com. * Clipperz is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. * Clipperz is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. * You should have received a copy of the GNU Affero General Public License along with Clipperz. If not, see http://www.gnu.org/licenses/. */ if (typeof(Clipperz) == 'undefined') { Clipperz = {}; } if (typeof(Clipperz.PM) == 'undefined') { Clipperz.PM = {}; } if (typeof(Clipperz.PM.DataModel) == 'undefined') { Clipperz.PM.DataModel = {}; } //############################################################################# Clipperz.PM.DataModel.DirectLogin = function(args) { //MochiKit.Logging.logDebug(">>> new Clipperz.PM.DataModel.DirectLogin"); //console.log(">>> new Clipperz.PM.DataModel.DirectLogin - args: %o", args); //console.log("--- formData: %s", Clipperz.Base.serializeJSON(args.formData)); args = args || {}; //MochiKit.Logging.logDebug("--- new Clipperz.PM.DataModel.DirectLogin - args: " + Clipperz.Base.serializeJSON(MochiKit.Base.keys(args))); this._record = args.record || null; this._label = args.label || "unnamed record" this._reference = args.reference || Clipperz.PM.Crypto.randomKey(); - this._favicon = args.favicon || null; + this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null; this._bookmarkletVersion = args.bookmarkletVersion || "0.1"; this._directLoginInputs = null; this._formValues = args.formValues || {}; this.setFormData(args.formData || null); //console.log("=== formData: %o", this.formData()); if (args.legacyBindingData == null) { this.setBindingData(args.bindingData || null); } else { this.setLegacyBindingData(args.legacyBindingData); } this._fixedFavicon = null; // this._formValues = args.formValues || (this.hasValuesToSet() ? {} : null); //MochiKit.Logging.logDebug("<<< new Clipperz.PM.DataModel.DirectLogin"); return this; } Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, { 'remove': function() { this.record().removeDirectLogin(this); }, //------------------------------------------------------------------------- 'record': function() { return this._record; }, //------------------------------------------------------------------------- 'user': function() { return this.record().user(); }, //------------------------------------------------------------------------- 'reference': function() { return this._reference; }, //------------------------------------------------------------------------- 'label': function() { return this._label; }, 'setLabel': function(aValue) { this._label = aValue; }, //------------------------------------------------------------------------- 'favicon': function() { if (this._favicon == null) { var actionUrl; var hostname; - actionUrl = this.formData()['attributes']['action']; + actionUrl = this.action(); hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1'); - this._favicon = "http://" + hostname + "/favicon.ico"; + this._favicon = Clipperz.Base.sanitizeFavicon("http://" + hostname + "/favicon.ico"); } return this._favicon; }, //------------------------------------------------------------------------- 'fixedFavicon': function() { var result; if (this._fixedFavicon == null) { result = this.favicon(); if (Clipperz_IEisBroken) { if (this.user().preferences().disableUnsecureFaviconLoadingForIE()) { if (result.indexOf('https://') != 0) { result = Clipperz.PM.Strings['defaultFaviconUrl_IE']; this.setFixedFavicon(result); } } } } else { result = this._fixedFavicon; } return result; }, 'setFixedFavicon': function(aValue) { this._fixedFavicon = aValue; }, + 'action': function () { + var result; + + result = Clipperz.Base.sanitizeUrl(this.formData()['attributes']['action']); + + return result; + }, + //------------------------------------------------------------------------- 'bookmarkletVersion': function() { return this._bookmarkletVersion; }, 'setBookmarkletVersion': function(aValue) { this._bookmarkletVersion = aValue; }, //------------------------------------------------------------------------- 'formData': function() { return this._formData; }, 'setFormData': function(aValue) { var formData; //MochiKit.Logging.logDebug(">>> DirectLogin.setFormData - " + Clipperz.Base.serializeJSON(aValue)); switch (this.bookmarkletVersion()) { case "0.2": formData = aValue; break; case "0.1": //MochiKit.Logging.logDebug("--- DirectLogin.setFormData - fixing form data from bookmarklet version 0.1"); formData = this.fixFormDataFromBookmarkletVersion_0_1(aValue); break; } this._formData = aValue; this.setBookmarkletVersion("0.2"); @@ -413,112 +421,112 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, { completeUrl = url; } else { var username; var password; username = this.bindings()['username'].field().value(); password = this.bindings()['password'].field().value(); /(^https?\:\/\/)?(.*)/.test(url); completeUrl = RegExp.$1 + username + ':' + password + '@' + RegExp.$2; } MochiKit.DOM.currentWindow().location.href = completeUrl; }, this)); }, //------------------------------------------------------------------------- 'runSubmitFormDirectLogin': function(aWindow) { MochiKit.DOM.withWindow(aWindow, MochiKit.Base.bind(function() { var formElement; var formSubmitFunction; var submitButtons; //MochiKit.Logging.logDebug("### runDirectLogin - 3"); // MochiKit.DOM.currentDocument().write('<html><head><title>' + this.label() + '</title><META http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body></body></html>') //MochiKit.Logging.logDebug("### runDirectLogin - 3.1"); MochiKit.DOM.appendChildNodes(MochiKit.DOM.currentDocument().body, MochiKit.DOM.H3(null, "Loading " + this.label() + " ...")); //MochiKit.Logging.logDebug("### runDirectLogin - 4"); //console.log(this.formData()['attributes']); formElement = MochiKit.DOM.FORM(MochiKit.Base.update({id:'directLoginForm'}, { 'method':this.formData()['attributes']['method'], - 'action':this.formData()['attributes']['action']})); + 'action': this.action()})); //MochiKit.Logging.logDebug("### runDirectLogin - 5"); formSubmitFunction = MochiKit.Base.method(formElement, 'submit'); //MochiKit.Logging.logDebug("### runDirectLogin - 6"); MochiKit.DOM.appendChildNodes(MochiKit.DOM.currentDocument().body, MochiKit.DOM.DIV({style:'display:none; visibility:hidden;'}, formElement) ); //MochiKit.Logging.logDebug("### runDirectLogin - 7"); MochiKit.DOM.appendChildNodes(formElement, MochiKit.Base.map( MochiKit.Base.methodcaller("formConfiguration"), this.directLoginInputs())); //MochiKit.Logging.logDebug("### runDirectLogin - 8"); submitButtons = MochiKit.Base.filter(function(anInputElement) { //MochiKit.Logging.logDebug("### runDirectLogin - 8.1 - " + anInputElement); //MochiKit.Logging.logDebug("### runDirectLogin - 8.2 - " + anInputElement.tagName); //MochiKit.Logging.logDebug("### runDirectLogin - 8.3 - " + anInputElement.getAttribute('type')); return ((anInputElement.tagName.toLowerCase() == 'input') && (anInputElement.getAttribute('type').toLowerCase() == 'submit')); }, formElement.elements) //MochiKit.Logging.logDebug("### runDirectLogin - 9"); if (submitButtons.length == 0) { //MochiKit.Logging.logDebug("### OLD submit") if (Clipperz_IEisBroken == true) { //MochiKit.Logging.logDebug("### runDirectLogin - 10"); formElement.submit(); } else { //MochiKit.Logging.logDebug("### runDirectLogin - 11"); formSubmitFunction(); } } else { //MochiKit.Logging.logDebug("### NEW submit") submitButtons[0].click(); } }, this)); }, //------------------------------------------------------------------------- 'runDirectLogin': function(aNewWindow) { var newWindow; //console.log("formData.attributes", this.formData()['attributes']); // if (/^javascript/.test(this.formData()['attributes']['action'])) { - if ((/^(https?|webdav|ftp)\:/.test(this.formData()['attributes']['action']) == false) && - (this.formData()['attributes']['type'] != 'http_auth')) - { + if ((/^(https?|webdav|ftp)\:/.test(this.action()) == false) && + (this.formData()['attributes']['type'] != 'http_auth') + ) { var messageBoxConfiguration; if (typeof(aNewWindow) != 'undefined') { aNewWindow.close(); } messageBoxConfiguration = {}; messageBoxConfiguration.title = Clipperz.PM.Strings['VulnerabilityWarning_Panel_title']; messageBoxConfiguration.msg = Clipperz.PM.Strings['VulnerabilityWarning_Panel_message']; messageBoxConfiguration.animEl = YAHOO.ext.Element.get("mainDiv"); messageBoxConfiguration.progress = false; messageBoxConfiguration.closable = false; messageBoxConfiguration.buttons = {'cancel': Clipperz.PM.Strings['VulnerabilityWarning_Panel_buttonLabel']}; Clipperz.YUI.MessageBox.show(messageBoxConfiguration); throw Clipperz.Base.exception.VulnerabilityIssue; } //MochiKit.Logging.logDebug("### runDirectLogin - 1 : " + Clipperz.Base.serializeJSON(this.serializedData())); if (typeof(aNewWindow) == 'undefined') { newWindow = window.open(Clipperz.PM.Strings['directLoginJumpPageUrl'], ""); } else { newWindow = aNewWindow; } //MochiKit.Logging.logDebug("### runDirectLogin - 2"); if (this.formData()['attributes']['type'] == 'http_auth') { this.runHttpAuthDirectLogin(newWindow); } else { this.runSubmitFormDirectLogin(newWindow) } diff --git a/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js b/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js index 236d7c9..ba302da 100644 --- a/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js +++ b/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js @@ -18,65 +18,65 @@ refer to http://www.clipperz.com. * You should have received a copy of the GNU Affero General Public License along with Clipperz. If not, see http://www.gnu.org/licenses/. */ if (typeof(Clipperz) == 'undefined') { Clipperz = {}; } if (typeof(Clipperz.PM) == 'undefined') { Clipperz.PM = {}; } if (typeof(Clipperz.PM.DataModel) == 'undefined') { Clipperz.PM.DataModel = {}; } //############################################################################# Clipperz.PM.DataModel.DirectLoginReference = function(args) { args = args || {}; //MochiKit.Logging.logDebug(">>> new DirectLoginReference: " + Clipperz.Base.serializeJSON(MochiKit.Base.keys(args))); //MochiKit.Logging.logDebug(">>> new DirectLoginReference - record: " + args.record); this._user = args.user; if (args.directLogin != null) { this._reference = args.directLogin.reference(); this._recordReference = args.directLogin.record().reference(); this._label = args.directLogin.label(); this._favicon = args.directLogin.favicon() || null; this._directLogin = args.directLogin; this._record = args.directLogin.record(); } else { this._reference = args.reference; this._recordReference = args.record; this._label = args.label; - this._favicon = args.favicon || null; + this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null; this._directLogin = null; this._record = null; } this._fixedFavicon = null; return this; } Clipperz.PM.DataModel.DirectLoginReference.prototype = MochiKit.Base.update(null, { 'user': function() { return this._user; }, //------------------------------------------------------------------------- 'reference': function() { return this._reference; }, //------------------------------------------------------------------------- 'synchronizeValues': function(aDirectLogin) { this._label = aDirectLogin.label(); this._favicon = aDirectLogin.favicon(); }, //------------------------------------------------------------------------- 'label': function() { |