[Caja] Fix Issue 1893 "uriPolicy.mitigate() does not actually prevent mitigation" (issue 67720043)

[erights]

Reviewers: MikeSamuel,

Description:
Problem reported and fix suggested by James Keane at
https://code.google.com/p/google-caja/issues/detail?id=1893
I probably forgot to add rewriteFunctionCalls to this list when I
added it as another mitigation option.
Please review this at https://codereview.appspot.com/67720043/

Affected files (+11, -3 lines):
  M     src/com/google/caja/plugin/html-emitter.js
  M     src/com/google/caja/ses/startSES.js


Index: src/com/google/caja/plugin/html-emitter.js
===================================================================
--- src/com/google/caja/plugin/html-emitter.js  (revision 5668)
+++ src/com/google/caja/plugin/html-emitter.js  (working copy)
@@ -329,7 +329,7 @@

   function hasChild(el, name) {
     if (!el) { return false; }
-
+
     for (var child = el.firstChild; child; child = child.nextSibling) {
       if (child.nodeType === 1 && virtTagName(child) === name) {
         return child;
@@ -581,12 +581,16 @@
       var proxiedUrl = getMitigatedUrl(url);
       var mitigateOpts;
       if (proxiedUrl) {
-        // Disable mitigation
+        // Disable mitigation.
+        // Maintain this list in coordination with the list of
+        // mitigation options documented in startSES.js.
+        // See https://code.google.com/p/google-caja/issues/detail?id=1893
         mitigateOpts = {
           parseProgram : true,
           rewriteTopLevelVars : false,
           rewriteTopLevelFuncs : false,
-          rewriteTypeOf : false
+          rewriteTypeOf : false,
+          rewriteFunctionCalls: false
         };
         url = proxiedUrl;
       } else {
Index: src/com/google/caja/ses/startSES.js
===================================================================
--- src/com/google/caja/ses/startSES.js (revision 5668)
+++ src/com/google/caja/ses/startSES.js (working copy)
@@ -780,6 +780,10 @@
     }
     ses.makeCompiledExpr = makeCompiledExpr;

+    // Maintain the list of mitigation options documented below in
+    // coordination with the list of mitigation options in
+    // html-emitter.js's evaluateUntrustedExternalScript.
+    // See https://code.google.com/p/google-caja/issues/detail?id=1893
     /**
      * Compiles {@code exprSrc} as a strict expression into a function
      * of an {@code imports}, that when called evaluates {@code


--

--- 
You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to google-caja-discuss+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.