That's more or less what I said: the odds that
getDirectoryOfFile($doc.location.href) is actually called are a) very low
b) dependent on how you call the *.nocache.js more than the runtime
environment.
Starting with 2.1.0, you can "set" the 'base' using <meta
name="gwt:property" value="baseUrl=foo/"> (have a look how Google Groups
uses it, scoped only to the 'standalone' module so it's
name="standalone::gwt:property" rather than name="gwt:property").
Starting with 2.1.0 you can also more easily replace that code altogether
with a custom linker (this was possible in 2.0.3 too but required copying
the whole IFrameTemplate.js whereas 2.1.0 made it more modular)
On Thursday, April 18, 2013 8:56:15 PM UTC+2, Shashank Raj Holavanalli
wrote:
>
> Thomas,
>
> This piece of code is in nocache.js
>
> *function getDirectoryOfFile(path){*
>
> * var hashIndex = path.lastIndexOf('#');*
>
> * if (hashIndex == -1) {*
>
> * hashIndex = path.length;*
>
> * }*
>
> * var queryIndex = path.indexOf('?');*
>
> * if (queryIndex == -1) {*
>
> * queryIndex = path.length;*
>
> * }*
>
> * var slashIndex = path.lastIndexOf('/', Math.min(queryIndex,
> hashIndex));*
>
> * return slashIndex >= 0?path.substring(0, slashIndex + 1):'';*
>
> *}*
>
> *
> *
>
> The “path” parameter to this function comes from
> *document.location.href*attribute.
>
>
>
> This function is basically finding the last index of “/” in the browser
> address bar ignoring what is there after “?” and “#”.
>
> From what I know DOM based XSS can occur by injecting scripts after “?” or
> “#” like this
>
>
>
> Server can sanitize this script because the value of the name attribute is
> sent to the server
>
> *http://domain.com/index.html?name=<script>MALICIOUS_CODE</script> *
>
>
> OR
>
>
>
> Server cannot sanitize this script because the fragment after “#” is never
> sent to the server and runs on the browser itself
>
> *http://domain.com/index.html#name=<script>MALICIOUS_CODE</script>*
>
> *
> *
>
> nochache.js also has the following code
>
> *base = getDirectoryOfFile(document.location.href);*
>
> *document.write('<script language="javascript" src="' + base +
> 'scripts/xyz.js"><\/script>');*
>
> * *Our security analysis tool complains that this is an XSS issue since *base
> *is not a compile time constant.
>
>
>
>
>
> On Wed, Apr 17, 2013 at 6:08 PM, Thomas Broyer <[email protected]<javascript:>
> > wrote:
>
>>
>>
>> On Wednesday, April 17, 2013 3:20:09 PM UTC+2, Shashank Raj Holavanalli
>> wrote:
>>>
>>> Thomas,
>>>
>>> I am using GWT 2.0.3 and this is being generated in the *.nocache.js.
>>>
>>
>> Come on, 2.0.3 is 3 damn years old!
>>
>>
>>> Is there any solution to this ? This clearly seems like an XSS
>>> vulnerability to me. Have you fixed this in the later version ? If yes then
>>> which one ?
>>>
>>
>> There's been a few security fixes in latest versions (though not related
>> to this one).
>> AFAICT, assuming this is from computeBaseUrl(), this code will almost
>> never be called (it depends how you load the nocache.js), so there should
>> be no vulnerability in practice.
>> It'd help if you could give more info as to which code exactly you're
>> talking about (compile with -style PRETTY so the JS won't be obfuscated).
>>
>> --
>> You received this message because you are subscribed to a topic in the
>> Google Groups "Google Web Toolkit" group.
>> To unsubscribe from this topic, visit
>> https://groups.google.com/d/topic/google-web-toolkit/WKcB-pDtfgA/unsubscribe?hl=en
>> .
>> To unsubscribe from this group and all its topics, send an email to
>> [email protected] <javascript:>.
>> To post to this group, send email to
>> [email protected]<javascript:>
>> .
>> Visit this group at
>> http://groups.google.com/group/google-web-toolkit?hl=en.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>>
>
>
>
> --
> *Shashank Raj Holavanalli*
> Software Engineer
> NetApp New England
> *www.crackeasily.com* <http://www.crackeasily.com>
>
--
You received this message because you are subscribed to the Google Groups
"Google Web Toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
