Fixed issues reported by cure53.de

Fixed issues CLP-01-014 and CLP-01-015
author: Giulio Cesare Solaroli <giulio.cesare@clipperz.com> 2014-05-02 15:14:18 (UTC)
committer: Giulio Cesare Solaroli <giulio.cesare@clipperz.com> 2014-05-02 15:24:45 (UTC)
commit: ed6b4edc82b0f65c77980713cd525053fcbc1dd2 (patch) (unidiff)
tree: 80eb0e6ccfc4efa15c6488cc83448d8a865169df /frontend
parent: 03659f6b3d9766898854e8a769c0c9341b3de80c (diff)
download: clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.zip
clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.gz
clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.bz2
5 files changed, 47 insertions, 11 deletions
diff --git a/frontend/beta/js/Clipperz/Base.js b/frontend/beta/js/Clipperz/Base.js
index cf40314..1c6faa1 100644
--- a/frontend/beta/js/Clipperz/Base.js
+++ b/frontend/beta/js/Clipperz/Base.js
@@ -233,32 +233,60 @@ MochiKit.Base.update(Clipperz.Base, {
        //-------------------------------------------------------------------------
        'sanitizeString': function(aValue) {
                var result;
                
                if (Clipperz.Base.objectType(aValue) == 'string') {
                        result = aValue;
                        result = result.replace(/</img,"&lt;");
                        result = result.replace(/>/img,"&gt;");
                } else {
                        result = aValue;
                }
                
                return result;
        },
+        'javascriptInjectionPattern': new RegExp("javascript:\/\/\"", "g"),
+        
+        'sanitizeUrl': function(aValue) {
+                        varresult;
+                
+                if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) {
+                        result = aValue.replace(this.javascriptInjectionPattern, '');
+                        console.log("sanitized url", aValue, result);
+                } else {
+                        result = aValue;
+                }
+                return result;
+        },
+        'sanitizeFavicon': function(aValue) {
+                        varresult;
+                
+                if ((aValue != null) && this.javascriptInjectionPattern.test(aValue)) {
+                        result = aValue.replace(this.javascriptInjectionPattern, '');
+                        console.log("sanitized favicon", aValue, result);
+                } else {
+                        result = aValue;
+                }
+                return result;
+        },
        //-------------------------------------------------------------------------
        'exception': {
                        'AbstractMethod':       new MochiKit.Base.NamedError("Clipperz.Base.exception.AbstractMethod"),
                        'UnknownType':          new MochiKit.Base.NamedError("Clipperz.Base.exception.UnknownType"),
                        'VulnerabilityIssue':new MochiKit.Base.NamedError("Clipperz.Base.exception.VulnerabilityIssue") 
        },
        //-------------------------------------------------------------------------
        __syntaxFix__: "syntax fix"
 });
 MochiKit.Base.registerComparator('Object dummy comparator',
diff --git a/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js b/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js
index 2295d3f..369b9ce 100644
--- a/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js
+++ b/frontend/beta/js/Clipperz/PM/BookmarkletProcessor.js
@@ -125,33 +125,33 @@ Clipperz.PM.BookmarkletProcessor.prototype = MochiKit.Base.update(null, {
                                type = aField['type'].toLowerCase();
                                result = ((type != 'hidden') && (type != 'submit') && (type != 'checkbox') && (type != 'radio') && (type != 'select'));
                
                                return result;
                        }, this.fields())
                }
                
                return this._editableFields;
        },
        //-------------------------------------------------------------------------
        'hostname': function() {
                if (this._hostname == null) {
                        var actionUrl;
                        
-                        actionUrl = this.configuration()['form']['attributes']['action'];
+                        actionUrl = Clipperz.Base.sanitizeUrl(this.configuration()['form']['attributes']['action']);
 //MochiKit.Logging.logDebug("+++ actionUrl: " + actionUrl);
                        this._hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1');
                }
                
                return this._hostname;
        },
        
        'favicon': function() {
                if (this._favicon == null) {
                        this._favicon = "http://" + this.hostname() + "/favicon.ico";
 //MochiKit.Logging.logDebug("+++ favicon: " + this._favicon);
                }
                
                return this._favicon;
        },
        
diff --git a/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js b/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js
index 0e4640e..a5a4697 100644
--- a/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js
+++ b/frontend/beta/js/Clipperz/PM/Components/RecordDetail/DirectLoginBindingComponent.js
@@ -87,33 +87,33 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C
        //-------------------------------------------------------------------------
        'recordFieldOptions': function() {
                        varresult;
                var option;
                        varrecordFieldKey;
                        varrecordFields;
 //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.recordFieldOptions");
                recordFields = this.directLoginBinding().directLogin().record().currentVersion().fields();
                result = [];
                option = {tag:'option', value:null, html:'---'};
                result.push(option);
                for (recordFieldKey in recordFields) {
        //TODO: remove the value: field and replace it with element.dom.value = <some value>
-                        option = {tag:'option', value:recordFieldKey, html:recordFields[recordFieldKey].label()}
+                        option = {tag:'option', value:recordFieldKey, html:Clipperz.Base.sanitizeString(recordFields[recordFieldKey].label())}
                        if (recordFieldKey == this.directLoginBinding().fieldKey()) {
                                option['selected'] = true;
                        }
                        result.push(option);
                }
 //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.recordFieldOptions");
                
                return result;
        },
        //-------------------------------------------------------------------------
        'syncAndUpdateEditMode': function() {
                this.synchronizeComponentValues();
                this.updateEditMode();
        },
@@ -137,33 +137,33 @@ YAHOO.extendX(Clipperz.PM.Components.RecordDetail.DirectLoginBindingComponent, C
                        Clipperz.YUI.DomHelper.append(selectElement.dom, anOption);
                });
 */
                this.getElement('editModeBox').show();
 //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateEditMode");
        },
        
        //-------------------------------------------------------------------------
        'updateViewMode': function() {
 //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.updateViewMode");
                this.getElement('editModeBox').hide();
                this.getElement('viewModeBox').show();
-                this.getElement('viewValue').update(this.directLoginBinding().field().label());
+                this.getElement('viewValue').update(Clipperz.Base.sanitizeString(this.directLoginBinding().field().label()));
 //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.updateViewMode");
        },
        //-------------------------------------------------------------------------
        'synchronizeComponentValues': function() {
 //MochiKit.Logging.logDebug(">>> DirectLoginBindingComponent.synchronizeComponentValues")
 //MochiKit.Logging.logDebug("--- DirectLoginBindingComponent.synchronizeComponentValues - 1 - " + this.getId('select'));
                this.directLoginBinding().setFieldKey(this.getDom('select').value);
 //MochiKit.Logging.logDebug("<<< DirectLoginBindingComponent.synchronizeComponentValues");
        },
        //-------------------------------------------------------------------------
        __syntaxFix__: "syntax fix"
 });
diff --git a/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js b/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js
index c0cfa3c..56d9d59 100644
--- a/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js
+++ b/frontend/beta/js/Clipperz/PM/DataModel/DirectLogin.js
@@ -25,33 +25,33 @@ if (typeof(Clipperz) == 'undefined') { Clipperz = {}; }
 if (typeof(Clipperz.PM) == 'undefined') { Clipperz.PM = {}; }
 if (typeof(Clipperz.PM.DataModel) == 'undefined') { Clipperz.PM.DataModel = {}; }
 //#############################################################################
 Clipperz.PM.DataModel.DirectLogin = function(args) {
 //MochiKit.Logging.logDebug(">>> new Clipperz.PM.DataModel.DirectLogin");
 //console.log(">>> new Clipperz.PM.DataModel.DirectLogin - args: %o", args);
 //console.log("--- formData: %s", Clipperz.Base.serializeJSON(args.formData));
        args = args || {};
 //MochiKit.Logging.logDebug("--- new Clipperz.PM.DataModel.DirectLogin - args: " + Clipperz.Base.serializeJSON(MochiKit.Base.keys(args)));
        this._record = args.record || null;
        this._label = args.label || "unnamed record"
        this._reference = args.reference || Clipperz.PM.Crypto.randomKey();
-        this._favicon = args.favicon || null;
+        this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null;
        this._bookmarkletVersion = args.bookmarkletVersion || "0.1";
        this._directLoginInputs = null;
        
        this._formValues = args.formValues || {};
        this.setFormData(args.formData || null);
 //console.log("=== formData: %o", this.formData());
        if (args.legacyBindingData == null) {
                this.setBindingData(args.bindingData || null);
        } else {
                this.setLegacyBindingData(args.legacyBindingData);
        }
        this._fixedFavicon = null;
        
@@ -89,67 +89,75 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
        'label': function() {
                return this._label;
        },
        'setLabel': function(aValue) {
                this._label = aValue;
        },
        
        //-------------------------------------------------------------------------
        'favicon': function() {
                if (this._favicon == null) {
                                varactionUrl;
                        var hostname;
                        
-                        actionUrl = this.formData()['attributes']['action'];
+                        actionUrl = this.action();
                        hostname = actionUrl.replace(/^https?:\/\/([^\/]*)\/.*/, '$1');
-                        this._favicon = "http://" + hostname + "/favicon.ico";
+                        this._favicon = Clipperz.Base.sanitizeFavicon("http://" + hostname + "/favicon.ico");
                }
                return this._favicon;
        },
        //-------------------------------------------------------------------------
        'fixedFavicon': function() {
                var result;
                
                if (this._fixedFavicon == null) {
                        result = this.favicon();
                        if (Clipperz_IEisBroken) {
                                if (this.user().preferences().disableUnsecureFaviconLoadingForIE()) {
                                        if (result.indexOf('https://') != 0) {
                                                result = Clipperz.PM.Strings['defaultFaviconUrl_IE'];
                                                this.setFixedFavicon(result);
                                        }
                                }
                        }
                } else {
                        result = this._fixedFavicon;
                }
                
                return result;
        },
        'setFixedFavicon': function(aValue) {
                this._fixedFavicon = aValue;
        },
        
+        'action': function () {
+                        varresult;
+                
+                result = Clipperz.Base.sanitizeUrl(this.formData()['attributes']['action']);
+                
+                return result;
+        },
+        
        //-------------------------------------------------------------------------
        'bookmarkletVersion': function() {
                return this._bookmarkletVersion;
        },
        
        'setBookmarkletVersion': function(aValue) {
                this._bookmarkletVersion = aValue;
        },
        
        //-------------------------------------------------------------------------
        'formData': function() {
                return this._formData;
        },
@@ -429,33 +437,33 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
        
        //-------------------------------------------------------------------------
        'runSubmitFormDirectLogin': function(aWindow) {
                MochiKit.DOM.withWindow(aWindow, MochiKit.Base.bind(function() {
                        var formElement;
                                varformSubmitFunction;
                        var submitButtons;
                        
 //MochiKit.Logging.logDebug("### runDirectLogin - 3");
        //              MochiKit.DOM.currentDocument().write('<html><head><title>' + this.label() + '</title><META http-equiv="Content-Type" content="text/html; charset=utf-8" /></head><body></body></html>')
 //MochiKit.Logging.logDebug("### runDirectLogin - 3.1");
                        MochiKit.DOM.appendChildNodes(MochiKit.DOM.currentDocument().body, MochiKit.DOM.H3(null, "Loading " + this.label() + " ..."));
 //MochiKit.Logging.logDebug("### runDirectLogin - 4");
 //console.log(this.formData()['attributes']);
                                formElement = MochiKit.DOM.FORM(MochiKit.Base.update({id:'directLoginForm'}, {'method':this.formData()['attributes']['method'],
-                                                                                                                                                                                        'action':this.formData()['attributes']['action']}));
+                                                                                                                                                                                        'action': this.action()}));
 //MochiKit.Logging.logDebug("### runDirectLogin - 5");
                        formSubmitFunction = MochiKit.Base.method(formElement, 'submit');
 //MochiKit.Logging.logDebug("### runDirectLogin - 6");
                        MochiKit.DOM.appendChildNodes(MochiKit.DOM.currentDocument().body,
                                MochiKit.DOM.DIV({style:'display:none; visibility:hidden;'}, formElement)
                        );
 //MochiKit.Logging.logDebug("### runDirectLogin - 7");
                                MochiKit.DOM.appendChildNodes(formElement, MochiKit.Base.map(MochiKit.Base.methodcaller("formConfiguration"),
                                                                                                                                                        this.directLoginInputs()));
 //MochiKit.Logging.logDebug("### runDirectLogin - 8");
                        submitButtons = MochiKit.Base.filter(function(anInputElement) {
 //MochiKit.Logging.logDebug("### runDirectLogin - 8.1 - " + anInputElement);
 //MochiKit.Logging.logDebug("### runDirectLogin - 8.2 - " + anInputElement.tagName);
 //MochiKit.Logging.logDebug("### runDirectLogin - 8.3 - " + anInputElement.getAttribute('type'));
@@ -474,35 +482,35 @@ Clipperz.PM.DataModel.DirectLogin.prototype = MochiKit.Base.update(null, {
                                }
                        } else {
 //MochiKit.Logging.logDebug("### NEW submit")
                                submitButtons[0].click();
                        }
                }, this));
        },
        
        //-------------------------------------------------------------------------
        'runDirectLogin': function(aNewWindow) {
                        varnewWindow;
 //console.log("formData.attributes", this.formData()['attributes']);
        //      if (/^javascript/.test(this.formData()['attributes']['action'])) {
-                if ((/^(https?|webdav|ftp)\:/.test(this.formData()['attributes']['action']) == false) &&
+                if ((/^(https?|webdav|ftp)\:/.test(this.action()) == false) &&
-                        (this.formData()['attributes']['type'] != 'http_auth'))
+                        (this.formData()['attributes']['type'] != 'http_auth')
-                {
+                ) {
                        var messageBoxConfiguration;
                        if (typeof(aNewWindow) != 'undefined') {
                                aNewWindow.close();
                        }
                        messageBoxConfiguration = {};
                        messageBoxConfiguration.title = Clipperz.PM.Strings['VulnerabilityWarning_Panel_title'];
                        messageBoxConfiguration.msg = Clipperz.PM.Strings['VulnerabilityWarning_Panel_message'];
                        messageBoxConfiguration.animEl = YAHOO.ext.Element.get("mainDiv");
                        messageBoxConfiguration.progress = false;
                        messageBoxConfiguration.closable = false;
                        messageBoxConfiguration.buttons = {'cancel': Clipperz.PM.Strings['VulnerabilityWarning_Panel_buttonLabel']};
                        Clipperz.YUI.MessageBox.show(messageBoxConfiguration);
diff --git a/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js b/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js
index 236d7c9..ba302da 100644
--- a/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js
+++ b/frontend/beta/js/Clipperz/PM/DataModel/DirectLoginReference.js
@@ -34,33 +34,33 @@ Clipperz.PM.DataModel.DirectLoginReference = function(args) {
 //MochiKit.Logging.logDebug(">>> new DirectLoginReference: " + Clipperz.Base.serializeJSON(MochiKit.Base.keys(args)));
 //MochiKit.Logging.logDebug(">>> new DirectLoginReference - record: " + args.record);
        this._user = args.user;
        
        if (args.directLogin != null) {
                this._reference = args.directLogin.reference();
                this._recordReference = args.directLogin.record().reference();
                this._label = args.directLogin.label();
                this._favicon = args.directLogin.favicon() || null;
                this._directLogin = args.directLogin;
                this._record = args.directLogin.record();
        } else {
                this._reference = args.reference;
                this._recordReference = args.record;
                this._label = args.label;
-                this._favicon = args.favicon || null;
+                this._favicon = Clipperz.Base.sanitizeFavicon(args.favicon) || null;
        
                this._directLogin = null;
                this._record = null;
        }
        this._fixedFavicon = null;
        
        return this;
 }
 Clipperz.PM.DataModel.DirectLoginReference.prototype = MochiKit.Base.update(null, {
        'user': function() {
                return this._user;
        },
author	Giulio Cesare Solaroli <giulio.cesare@clipperz.com>	2014-05-02 15:14:18 (UTC)
committer	Giulio Cesare Solaroli <giulio.cesare@clipperz.com>	2014-05-02 15:24:45 (UTC)
commit	ed6b4edc82b0f65c77980713cd525053fcbc1dd2 (patch) (unidiff)
tree	80eb0e6ccfc4efa15c6488cc83448d8a865169df /frontend
parent	03659f6b3d9766898854e8a769c0c9341b3de80c (diff)
download	clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.zip clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.gz clipperz-ed6b4edc82b0f65c77980713cd525053fcbc1dd2.tar.bz2