-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6198/#review9749
-----------------------------------------------------------
This patch might need a bit more work. I'll need to talk to Ryan about this
method:
public GadgetSpec getGadgetSpec(GadgetContext context) throws GadgetException {
String rawxml = context.getParameter(RAW_GADGETSPEC_XML_PARAM_NAME);
if (rawxml != null) {
// Set URI to a fixed, safe value (localhost), preventing a gadget rendered
// via raw XML (eg. via POST) to be rendered on a locked domain of any other
// gadget whose spec is hosted non-locally.
It looks like we'd be altering the whitelist check for rawxml gadgets with this
change.
- Dan Dumont
On Aug. 1, 2012, 2:54 a.m., Marshall Shi wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/6198/
> -----------------------------------------------------------
>
> (Updated Aug. 1, 2012, 2:54 a.m.)
>
>
> Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.
>
>
> Description
> -------
>
> The gadgets/ifr endpoint will fetch the gadget xml first and then do the
> white list check. It is consuming resources to fetch content when the gadget
> is not allowed to render according to the gadget admin.
> The proposed fix is to move the white list check ahead of processing the
> gadget xml. If the gadget is not allowed to show, an error message will be
> returned before doing the content fetching.
>
>
> This addresses bug shindig-1830.
> https://issues.apache.org/jira/browse/shindig-1830
>
>
> Diffs
> -----
>
>
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/process/Processor.java
> 1363665
>
> Diff: https://reviews.apache.org/r/6198/diff/
>
>
> Testing
> -------
>
> Done.
>
>
> Thanks,
>
> Marshall Shi
>
>
