Re: Review Request: Do whitelist check before consuming resources fetching content from the gadget URI

Thu, 02 Aug 2012 18:47:01 -0700 


> On Aug. 2, 2012, 1:13 p.m., Dan Dumont wrote:
> > This patch might need a bit more work.   I'll need to talk to Ryan about 
> > this method:
> > public GadgetSpec getGadgetSpec(GadgetContext context) throws 
> > GadgetException {
> >   String rawxml = context.getParameter(RAW_GADGETSPEC_XML_PARAM_NAME);
> >   if (rawxml != null) {
> >     // Set URI to a fixed, safe value (localhost), preventing a gadget 
> > rendered
> >     // via raw XML (eg. via POST) to be rendered on a locked domain of any 
> > other
> >     // gadget whose spec is hosted non-locally.
> > 
> > It looks like we'd be altering the whitelist check for rawxml gadgets with 
> > this change.
> 
> Dan Dumont wrote:
>     I think it might be a good idea to put a getGadgetUri(GadgetContext 
> context) in the org.apache.shindig.gadgets.GadgetSpecFactory interface.
>     This can implement the current logic found in getGadgetSpec(GadgetContext 
> context) for deriving the gadget uri.
>     
>     You can then use that instead of trying to get it from the context 
> directly.

Good catch Dan!


- Ryan


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/6198/#review9749
-----------------------------------------------------------


On Aug. 1, 2012, 2:54 a.m., Marshall Shi wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/6198/
> -----------------------------------------------------------
> 
> (Updated Aug. 1, 2012, 2:54 a.m.)
> 
> 
> Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.
> 
> 
> Description
> -------
> 
> The gadgets/ifr endpoint will fetch the gadget xml first and then do the 
> white list check. It is consuming resources to fetch content when the gadget 
> is not allowed to render according to the gadget admin.
> The proposed fix is to move the white list check ahead of processing the 
> gadget xml. If the gadget is not allowed to show, an error message will be 
> returned before doing the content fetching. 
> 
> 
> This addresses bug shindig-1830.
>     https://issues.apache.org/jira/browse/shindig-1830
> 
> 
> Diffs
> -----
> 
>   
> http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/process/Processor.java
>  1363665 
> 
> Diff: https://reviews.apache.org/r/6198/diff/
> 
> 
> Testing
> -------
> 
> Done.
> 
> 
> Thanks,
> 
> Marshall Shi
> 
>

Reply via email to