> On Aug. 2, 2012, 1:13 p.m., Dan Dumont wrote: > > This patch might need a bit more work. I'll need to talk to Ryan about > > this method: > > public GadgetSpec getGadgetSpec(GadgetContext context) throws > > GadgetException { > > String rawxml = context.getParameter(RAW_GADGETSPEC_XML_PARAM_NAME); > > if (rawxml != null) { > > // Set URI to a fixed, safe value (localhost), preventing a gadget > > rendered > > // via raw XML (eg. via POST) to be rendered on a locked domain of any > > other > > // gadget whose spec is hosted non-locally. > > > > It looks like we'd be altering the whitelist check for rawxml gadgets with > > this change.
I think it might be a good idea to put a getGadgetUri(GadgetContext context) in the org.apache.shindig.gadgets.GadgetSpecFactory interface. This can implement the current logic found in getGadgetSpec(GadgetContext context) for deriving the gadget uri. You can then use that instead of trying to get it from the context directly. - Dan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/6198/#review9749 ----------------------------------------------------------- On Aug. 1, 2012, 2:54 a.m., Marshall Shi wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/6198/ > ----------------------------------------------------------- > > (Updated Aug. 1, 2012, 2:54 a.m.) > > > Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers. > > > Description > ------- > > The gadgets/ifr endpoint will fetch the gadget xml first and then do the > white list check. It is consuming resources to fetch content when the gadget > is not allowed to render according to the gadget admin. > The proposed fix is to move the white list check ahead of processing the > gadget xml. If the gadget is not allowed to show, an error message will be > returned before doing the content fetching. > > > This addresses bug shindig-1830. > https://issues.apache.org/jira/browse/shindig-1830 > > > Diffs > ----- > > > http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/process/Processor.java > 1363665 > > Diff: https://reviews.apache.org/r/6198/diff/ > > > Testing > ------- > > Done. > > > Thanks, > > Marshall Shi > >