| author | Giulio Cesare Solaroli <giulio.cesare@clipperz.com> | 2014-05-02 15:14:18 (UTC) |
|---|---|---|
| committer | Giulio Cesare Solaroli <giulio.cesare@clipperz.com> | 2014-05-02 15:24:45 (UTC) |
| commit | ed6b4edc82b0f65c77980713cd525053fcbc1dd2 (patch) (unidiff) | |
| tree | 80eb0e6ccfc4efa15c6488cc83448d8a865169df | |
| parent | 03659f6b3d9766898854e8a769c0c9341b3de80c (diff) | |
| download | clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.zip clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.gz clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.bz2 | |
Fixed issues reported by cure53.de
Fixed issues CLP-01-014 and CLP-01-015
5 files changed, 47 insertions, 11 deletions
diff --git a/frontend/beta/js/Clipperz/Base.js b/frontend/beta/js/Clipperz/Base.js index cf40314..1c6faa1 100644 --- a/frontend/beta/js/Clipperz/Base.js +++ b/frontend/beta/js/Clipperz/Base.js | |||
| @@ -243,12 +243,40 @@ MochiKit.Base.update(Clipperz.Base, { | |||
| 243 | result = aValue; | 243 | result = aValue; |
| 244 | } | 244 | } |
| 245 | 245 | ||
| 246 | return result; | 246 | return result; |
| 247 | }, | 247 | }, |
| 248 | 248 | ||
| 249 | 'javascriptInjectionPattern': new RegExp("javascript:\/\/\"", "g"), | ||
| 250 | |||
| 251 | 'sanitizeUrl': function(aValue) { | ||
| 252 | varresult; | ||
| 253 | |||
| 254 | if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) { | ||
| 255 | result = aValue.replace(this.javascriptInjectionPattern, ''); | ||
| 256 | console.log("sanitized url", aValue, result); | ||
| 257 | } else { | ||
| 258 | result = aValue; | ||
| 259 | } | ||
| 260 | |||
| 261 | return result; | ||
| 262 | }, | ||
| 263 | |||
| 264 | 'sanitizeFavicon': function(aValue) { | ||
| 265 | varresult; | ||
| 266 | |||
| 267 | if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) { | ||
| 268 | result = aValue.replace(this.javascriptInjectionPattern, ''); | ||
| 269 | console.log("sanitized favicon", aValue, result); | ||
| 270 | } else { | ||
| 271 | result = aValue; | ||
| 272 | } | ||
| 273 | |||
| 274 | return result; | ||
| 275 | }, | ||
| 276 | |||
| 249 | //------------------------------------------------------------------------- | 277 | //------------------------------------------------------------------------- |
| 250 | 278 | ||
| 251 | 'exception': { | 279 | 'exception': { |
| 252 | 'AbstractMethod': new MochiKit.Base.NamedError("Clipperz.Base.exception.AbstractMethod"), | 280 | 'AbstractMethod': new MochiKit.Base.NamedError("Clipperz.Base.exception.AbstractMethod"), |
| 253 | 'UnknownType': new MochiKit.Base.NamedError("Clipperz.Base.exception.UnknownType"), | 281 | 'UnknownType': new MochiKit.Base.NamedError("Clipperz.Base.exception.UnknownType"), |
| 254 | 'VulnerabilityIssue':new MochiKit.Base.NamedError("Clipperz.Base.exception.VulnerabilityIssue") | 282 | 'VulnerabilityIssue':new MochiKit.Base.NamedError("Clipperz.Base.exception.VulnerabilityIssue") |
diff --git a/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js b/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js index 2295d3f..369b9ce 100644 --- a/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js +++ b/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js | |||
| @@ -135,13 +135,13 @@ Clipperz.PM.BookmarkletProcessor.prototype = MochiKit.Base.update(null, { | |||
| 135 | //------------------------------------------------------------------------- | 135 | //------------------------------------------------------------------------- |
| 136 | 136 | ||
| 137 | 'hostname': function() { | 137 | 'hostname': function() { |
| 138 | if (this._hostname == null) { | 138 | if (this._hostname == null) { |
| 139 | var actionUrl; | 139 | var actionUrl; |
| 140 | 140 | ||
| 141 | actionUrl = this.configuration()['form']['attributes']['action']; | 141 | actionUrl = Clipperz.Base.sanitizeUrl(this.configuration()['form']['attributes']['action']); |
| 142 | //MochiKit.Logging.logDebug("+++ actionUrl: " + actionUrl); | 142 | //MochiKit.Logging.logDebug("+++ actionUrl: " + actionUrl); |
| 143 | this._hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1'); | 143 | this._hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1'); |
| 144 | } | 144 | } |
| 145 | 145 | ||
| 146 | return this._hostname; | 146 | return this._hostname; |
| 147 | }, | 147 | }, |
diff --git a/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js b/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js index 0e4640e..a5a4697 100644 --- a/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js +++ b/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js | |||
| @@ -97,13 +97,13 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C | |||
| 97 | recordFields = this.directLoginBinding().directLogin().record().currentVersion().fields(); | 97 | recordFields = this.directLoginBinding().directLogin().record().currentVersion().fields(); |
| 98 | result = []; | 98 | result = []; |
| 99 | option = {tag:'option', value:null, html:'---'}; | 99 | option = {tag:'option', value:null, html:'---'}; |
| 100 | result.push(option); | 100 | result.push(option); |
| 101 | for (recordFieldKey in recordFields) { | 101 | for (recordFieldKey in recordFields) { |
| 102 | //TODO: remove the value: field and replace it with element.dom.value = <some value> | 102 | //TODO: remove the value: field and replace it with element.dom.value = <some value> |
| 103 | option = {tag:'option', value:recordFieldKey, html:recordFields[recordFieldKey].label()} | 103 | option = {tag:'option', value:recordFieldKey, html:Clipperz.Base.sanitizeString(recordFields[recordFieldKey].label())} |
| 104 | if (recordFieldKey == this.directLoginBinding().fieldKey()) { | 104 | if (recordFieldKey == this.directLoginBinding().fieldKey()) { |
| 105 | option['selected'] = true; | 105 | option['selected'] = true; |
| 106 | } | 106 | } |
| 107 | result.push(option); | 107 | result.push(option); |
| 108 | } | 108 | } |
| 109 | //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.recordFieldOptions"); | 109 | //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.recordFieldOptions"); |
| @@ -147,13 +147,13 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C | |||
| 147 | 147 | ||
| 148 | 'updateViewMode': function() { | 148 | 'updateViewMode': function() { |
| 149 | //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.updateViewMode"); | 149 | //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.updateViewMode"); |
| 150 | this.getElement('editModeBox').hide(); | 150 | this.getElement('editModeBox').hide(); |
| 151 | this.getElement('viewModeBox').show(); | 151 | this.getElement('viewModeBox').show(); |
| 152 | 152 | ||
| 153 | this.getElement('viewValue').update(this.directLoginBinding().field().label()); | 153 | this.getElement('viewValue').update(Clipperz.Base.sanitizeString(this.directLoginBinding().field().label())); |
| 154 | //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateViewMode"); | 154 | //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateViewMode"); |
| 155 | }, | 155 | }, |
| 156 | 156 | ||
| 157 | //------------------------------------------------------------------------- | 157 | //------------------------------------------------------------------------- |
| 158 | 158 | ||
| 159 | 'synchronizeComponentValues': function() { | 159 | 'synchronizeComponentValues': function() { |
diff --git a/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js b/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js index c0cfa3c..56d9d59 100644 --- a/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js +++ b/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js | |||
| @@ -35,13 +35,13 @@ Clipperz.PM.DataModel.DirectLogin = function(args) { | |||
| 35 | args = args || {}; | 35 | args = args || {}; |
| 36 | 36 | ||
| 37 | //MochiKit.Logging.logDebug("--- new Clipperz.PM.DataModel.DirectLogin - args: " + Clipperz.Base.serializeJSON(MochiKit.Base.keys(args))); | 37 | //MochiKit.Logging.logDebug("--- new Clipperz.PM.DataModel.DirectLogin - args: " + Clipperz.Base.serializeJSON(MochiKit.Base.keys(args))); |
| 38 | this._record = args.record || null; | 38 | this._record = args.record || null; |
| 39 | this._label = args.label || "unnamed record" | 39 | this._label = args.label || "unnamed record" |
| 40 | this._reference = args.reference || Clipperz.PM.Crypto.randomKey(); | 40 | this._reference = args.reference || Clipperz.PM.Crypto.randomKey(); |
| 41 | this._favicon = args.favicon || null; | 41 | this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null; |
| 42 | this._bookmarkletVersion = args.bookmarkletVersion || "0.1"; | 42 | this._bookmarkletVersion = args.bookmarkletVersion || "0.1"; |
| 43 | 43 | ||
| 44 | this._directLoginInputs = null; | 44 | this._directLoginInputs = null; |
| 45 | 45 | ||
| 46 | this._formValues = args.formValues || {}; | 46 | this._formValues = args.formValues || {}; |
| 47 | this.setFormData(args.formData || null); | 47 | this.setFormData(args.formData || null); |
| @@ -99,15 +99,15 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, { | |||
| 99 | 99 | ||
| 100 | 'favicon': function() { | 100 | 'favicon': function() { |
| 101 | if (this._favicon == null) { | 101 | if (this._favicon == null) { |
| 102 | varactionUrl; | 102 | varactionUrl; |
| 103 | var hostname; | 103 | var hostname; |
| 104 | 104 | ||
| 105 | actionUrl = this.formData()['attributes']['action']; | 105 | actionUrl = this.action(); |
| 106 | hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1'); | 106 | hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1'); |
| 107 | this._favicon = "http://" + hostname + "/favicon.ico"; | 107 | this._favicon = Clipperz.Base.sanitizeFavicon("http://" + hostname + "/favicon.ico"); |
| 108 | } | 108 | } |
| 109 | 109 | ||
| 110 | return this._favicon; | 110 | return this._favicon; |
| 111 | }, | 111 | }, |
| 112 | 112 | ||
| 113 | //------------------------------------------------------------------------- | 113 | //------------------------------------------------------------------------- |
| @@ -134,12 +134,20 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, { | |||
| 134 | }, | 134 | }, |
| 135 | 135 | ||
| 136 | 'setFixedFavicon': function(aValue) { | 136 | 'setFixedFavicon': function(aValue) { |
| 137 | this._fixedFavicon = aValue; | 137 | this._fixedFavicon = aValue; |
| 138 | }, | 138 | }, |
| 139 | 139 | ||
| 140 | 'action': function () { | ||
| 141 | varresult; | ||
| 142 | |||
| 143 | result = Clipperz.Base.sanitizeUrl(this.formData()['attributes']['action']); | ||
| 144 | |||
| 145 | return result; | ||
| 146 | }, | ||
| 147 | |||
| 140 | //------------------------------------------------------------------------- | 148 | //------------------------------------------------------------------------- |
| 141 | 149 | ||
| 142 | 'bookmarkletVersion': function() { | 150 | 'bookmarkletVersion': function() { |
| 143 | return this._bookmarkletVersion; | 151 | return this._bookmarkletVersion; |
| 144 | }, | 152 | }, |
| 145 | 153 | ||
| @@ -439,13 +447,13 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, { | |||
| 439 | // MochiKit.DOM.currentDocument().write('<html><head><title>' + this.label() + '</title><META http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body></body></html>') | 447 | // MochiKit.DOM.currentDocument().write('<html><head><title>' + this.label() + '</title><META http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body></body></html>') |
| 440 | //MochiKit.Logging.logDebug("### runDirectLogin - 3.1"); | 448 | //MochiKit.Logging.logDebug("### runDirectLogin - 3.1"); |
| 441 | MochiKit.DOM.appendChildNodes(MochiKit.DOM.currentDocument().body, MochiKit.DOM.H3(null, "Loading " + this.label() + " ...")); | 449 | MochiKit.DOM.appendChildNodes(MochiKit.DOM.currentDocument().body, MochiKit.DOM.H3(null, "Loading " + this.label() + " ...")); |
| 442 | //MochiKit.Logging.logDebug("### runDirectLogin - 4"); | 450 | //MochiKit.Logging.logDebug("### runDirectLogin - 4"); |
| 443 | //console.log(this.formData()['attributes']); | 451 | //console.log(this.formData()['attributes']); |
| 444 | formElement = MochiKit.DOM.FORM(MochiKit.Base.update({id:'directLoginForm'}, {'method':this.formData()['attributes']['method'], | 452 | formElement = MochiKit.DOM.FORM(MochiKit.Base.update({id:'directLoginForm'}, {'method':this.formData()['attributes']['method'], |
| 445 | 'action':this.formData()['attributes']['action']})); | 453 | 'action': this.action()})); |
| 446 | //MochiKit.Logging.logDebug("### runDirectLogin - 5"); | 454 | //MochiKit.Logging.logDebug("### runDirectLogin - 5"); |
| 447 | formSubmitFunction = MochiKit.Base.method(formElement, 'submit'); | 455 | formSubmitFunction = MochiKit.Base.method(formElement, 'submit'); |
| 448 | //MochiKit.Logging.logDebug("### runDirectLogin - 6"); | 456 | //MochiKit.Logging.logDebug("### runDirectLogin - 6"); |
| 449 | 457 | ||
| 450 | MochiKit.DOM.appendChildNodes(MochiKit.DOM.currentDocument().body, | 458 | MochiKit.DOM.appendChildNodes(MochiKit.DOM.currentDocument().body, |
| 451 | MochiKit.DOM.DIV({style:'display:none; visibility:hidden;'}, formElement) | 459 | MochiKit.DOM.DIV({style:'display:none; visibility:hidden;'}, formElement) |
| @@ -484,15 +492,15 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, { | |||
| 484 | 492 | ||
| 485 | 'runDirectLogin': function(aNewWindow) { | 493 | 'runDirectLogin': function(aNewWindow) { |
| 486 | varnewWindow; | 494 | varnewWindow; |
| 487 | 495 | ||
| 488 | //console.log("formData.attributes", this.formData()['attributes']); | 496 | //console.log("formData.attributes", this.formData()['attributes']); |
| 489 | // if (/^javascript/.test(this.formData()['attributes']['action'])) { | 497 | // if (/^javascript/.test(this.formData()['attributes']['action'])) { |
| 490 | if ((/^(https?|webdav|ftp)\:/.test(this.formData()['attributes']['action']) == false) && | 498 | if ((/^(https?|webdav|ftp)\:/.test(this.action()) == false) && |
| 491 | (this.formData()['attributes']['type'] != 'http_auth')) | 499 | (this.formData()['attributes']['type'] != 'http_auth') |
| 492 | { | 500 | ) { |
| 493 | var messageBoxConfiguration; | 501 | var messageBoxConfiguration; |
| 494 | 502 | ||
| 495 | if (typeof(aNewWindow) != 'undefined') { | 503 | if (typeof(aNewWindow) != 'undefined') { |
| 496 | aNewWindow.close(); | 504 | aNewWindow.close(); |
| 497 | } | 505 | } |
| 498 | 506 | ||
diff --git a/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js b/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js index 236d7c9..ba302da 100644 --- a/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js +++ b/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js | |||
| @@ -44,13 +44,13 @@ Clipperz.PM.DataModel.DirectLoginReference = function(args) { | |||
| 44 | this._directLogin = args.directLogin; | 44 | this._directLogin = args.directLogin; |
| 45 | this._record = args.directLogin.record(); | 45 | this._record = args.directLogin.record(); |
| 46 | } else { | 46 | } else { |
| 47 | this._reference = args.reference; | 47 | this._reference = args.reference; |
| 48 | this._recordReference = args.record; | 48 | this._recordReference = args.record; |
| 49 | this._label = args.label; | 49 | this._label = args.label; |
| 50 | this._favicon = args.favicon || null; | 50 | this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null; |
| 51 | 51 | ||
| 52 | this._directLogin = null; | 52 | this._directLogin = null; |
| 53 | this._record = null; | 53 | this._record = null; |
| 54 | } | 54 | } |
| 55 | 55 | ||
| 56 | this._fixedFavicon = null; | 56 | this._fixedFavicon = null; |