[Caja] [google-caja] r5675 committed - Fix Issue 1893 "uriPolicy.mitigate() does not actually prevent mitigat...

Sun, 16 Mar 2014 19:53:29 -0700 

Revision: 5675
Author:   erights
Date:     Mon Mar 17 02:52:38 2014 UTC
Log: Fix Issue 1893 "uriPolicy.mitigate() does not actually prevent mitigation" 
https://codereview.appspot.com/67720043

Problem reported and fix suggested by James Keane at
https://code.google.com/p/google-caja/issues/detail?id=1893
I probably forgot to add rewriteFunctionCalls to this list when I
added it as another mitigation option.

[email protected]

http://code.google.com/p/google-caja/source/detail?r=5675

Modified:
 /trunk/src/com/google/caja/plugin/html-emitter.js
 /trunk/src/com/google/caja/ses/startSES.js

=======================================
--- /trunk/src/com/google/caja/plugin/html-emitter.js Tue Oct 8 22:01:03 2013 UTC +++ /trunk/src/com/google/caja/plugin/html-emitter.js Mon Mar 17 02:52:38 2014 UTC 
@@ -329,7 +329,7 @@

   function hasChild(el, name) {
     if (!el) { return false; }
-
+
     for (var child = el.firstChild; child; child = child.nextSibling) {
       if (child.nodeType === 1 && virtTagName(child) === name) {
         return child;
@@ -581,12 +581,16 @@
       var proxiedUrl = getMitigatedUrl(url);
       var mitigateOpts;
       if (proxiedUrl) {
-        // Disable mitigation
+        // Disable mitigation.
+        // Maintain this list in coordination with the list of
+        // mitigation options documented in startSES.js.
+        // See https://code.google.com/p/google-caja/issues/detail?id=1893
         mitigateOpts = {
-          parseProgram : true,
-          rewriteTopLevelVars : false,
-          rewriteTopLevelFuncs : false,
-          rewriteTypeOf : false
+          parseFunctionBody: true,
+          rewriteTopLevelVars: false,
+          rewriteTopLevelFuncs: false,
+          rewriteFunctionCalls: false,
+          rewriteTypeOf: false
         };
         url = proxiedUrl;
       } else {
=======================================
--- /trunk/src/com/google/caja/ses/startSES.js  Fri Feb 28 03:53:00 2014 UTC
+++ /trunk/src/com/google/caja/ses/startSES.js  Mon Mar 17 02:52:38 2014 UTC
@@ -785,6 +785,10 @@
     }
     ses.makeCompiledExpr = makeCompiledExpr;

+    // Maintain the list of mitigation options documented below in
+    // coordination with the list of mitigation options in
+    // html-emitter.js's evaluateUntrustedExternalScript.
+    // See https://code.google.com/p/google-caja/issues/detail?id=1893
     /**
      * Compiles {@code exprSrc} as a strict expression into a function
      * of an {@code imports}, that when called evaluates {@code

--
--- You received this message because you are subscribed to the Google Groups "Google Caja Discuss" group. 
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
For more options, visit https://groups.google.com/d/optout.

Reply via email to