Merge lp://staging/~henninge/launchpad/devel-744204-escaping-soyuz-base into lp://staging/launchpad
Status: | Merged |
---|---|
Approved by: | Robert Collins |
Approved revision: | no longer in the source branch. |
Merged at revision: | 12796 |
Proposed branch: | lp://staging/~henninge/launchpad/devel-744204-escaping-soyuz-base |
Merge into: | lp://staging/launchpad |
Diff against target: |
156 lines (+21/-31) 4 files modified
lib/lp/registry/javascript/distroseriesdifferences_details.js (+10/-12) lib/lp/soyuz/javascript/base.js (+9/-17) lib/lp/soyuz/templates/archive-macros.pt (+1/-1) lib/lp/soyuz/templates/archive-packages.pt (+1/-1) |
To merge this branch: | bzr merge lp://staging/~henninge/launchpad/devel-744204-escaping-soyuz-base |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Robert Collins (community) | Approve | ||
William Grant | code* | Approve | |
Review via email:
|
Commit message
[r=lifeless,
Description of the change
= Summary =
The javascript code in Y.lp.soyuz.base was not safe against xss
attacks becuse it set innerHTML to values of unknown origin. One of
the call sites actually passes in response.
the attack vectors wgrant described.
== Proposed fix ==
Use string templates and DOM manipulation to create the markup. Most
importantly use set('text', text) to insert the text passed in. This
way it is escaped properly.
== Pre-implementation notes ==
I'd call wgrants email about xss attacks a pre-imp discussion. ;-)
== Implementation details ==
In distroseriesdif
parameters passed into the vulnurable functions to relieve the danger.
Those could now be removed.
Between JSLINT and me we found some dodgy js code which I fixed along
the way.
== Tests ==
As this is a pure refactoring, no tests needed to be changed or added.
The WindmillLayer tests are currently not working on natty but the
relevant js unit test can be run like this:
firefox lib/lp/
== Demo and Q/A ==
I tried it out locally on
https:/
There is a spinner while the archive size is retrieved and an error
message when it fails. I triggered that by halting the execution in
the debugger and stopping the dev server underneath it. Not sure how
to reproduce that for Q/A. Take down my network?
= Launchpad lint =
Checking for conflicts and issues in changed files.
Linting changed files:
lib/lp/
lib/lp/
lib/lp/
lib/lp/
./lib/lp/
37: Expected '===' and instead saw '=='.
39: Expected '===' and instead saw '=='.
57: Expected '===' and instead saw '=='.
247: 'get_extra_
266: Expected an identifier and instead saw 'arguments' (a reserved word).
285: Expected '===' and instead saw '=='.
334: Move 'var' declarations to the top of the function.
334: Stopping. (59% scanned).
0: JSLINT had a fatal error.
While there was no vulnerability before (responseText was escaped), this is much cleaner!
I see further potential for cleanup in makeFailureNode. You can YUI calls something like this:
var retry_link = failure_ message. one('a' )
.addClass( 'update- retry')
.set(' href', '')
.set(' innerHTML' , 'Retry')
.set(' text', 'Retry')
.on('click' , handler);