[
https://issues.apache.org/jira/browse/SHINDIG-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13268432#comment-13268432
]
[email protected] commented on SHINDIG-1765:
--------------------------------------------------------
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/5011/#review7562
-----------------------------------------------------------
http://svn.apache.org/repos/asf/shindig/trunk/config/container.js
<https://reviews.apache.org/r/5011/#comment16746>
We may want to add a comment here noting that this setting MUST be supplied
in every container config object, as there is no default if it is not supplied.
Either that or provide a default in code if there is nothing set here.
- Dan
On 2012-05-04 02:29:59, Marshall Shi wrote:
bq.
bq. -----------------------------------------------------------
bq. This is an automatically generated e-mail. To reply, visit:
bq. https://reviews.apache.org/r/5011/
bq. -----------------------------------------------------------
bq.
bq. (Updated 2012-05-04 02:29:59)
bq.
bq.
bq. Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.
bq.
bq.
bq. Summary
bq. -------
bq.
bq. The gadget io request will inject a unparseable cruft message "throw 1; <
don't be evil' >" in the response content intentionally for security reasons.
bq. However, this "throw 1; < don't be evil' >" string has been hardcoded in:
bq. features/src/main/javascript/features/core.io/io.js
bq.
java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java
bq.
bq. It would be good to extract the message into a container config, so:
bq. - client and server can reuse the same message.
bq. - Shindig consumers can replace the message with their own.
bq.
bq.
bq. This addresses bug SHINDIG-1765.
bq. https://issues.apache.org/jira/browse/SHINDIG-1765
bq.
bq.
bq. Diffs
bq. -----
bq.
bq. http://svn.apache.org/repos/asf/shindig/trunk/config/container.js
1333012
bq.
http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js
1333012
bq.
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java
1333012
bq.
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java
1333012
bq.
http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java
1333012
bq.
bq. Diff: https://reviews.apache.org/r/5011/diff
bq.
bq.
bq. Testing
bq. -------
bq.
bq. Tested by trying a few other messages in the container.js, the replaced
message show up in the response correctly.
bq.
bq.
bq. Thanks,
bq.
bq. Marshall
bq.
bq.
> Replace the unparseable cruft message "throw 1; < don't be evil' >" constant
> in client and server with a container config
> -------------------------------------------------------------------------------------------------------------------------
>
> Key: SHINDIG-1765
> URL: https://issues.apache.org/jira/browse/SHINDIG-1765
> Project: Shindig
> Issue Type: Improvement
> Components: Java
> Affects Versions: 2.5.0
> Reporter: Marshall Shi
> Fix For: 2.5.0
>
> Original Estimate: 4h
> Remaining Estimate: 4h
>
> The gadget io request will inject a unparseable cruft message "throw 1; <
> don't be evil' >" in the response content intentionally for security reasons.
> However, this "throw 1; < don't be evil' >" string has been hardcoded in:
> features/src/main/javascript/features/core.io/io.js
> java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java
> It would be good to extract the message into a container config, so:
> - client and server can reuse the same message.
> - Shindig consumers can replace the message with their own.
> The new config can be added into gadgets.features.core.io in container.js, as
> shown below
> "gadgets.features" : {
> "core.io" : {
> // Note: ${Cur['gadgets.uri.proxy.path']} is an open proxy. Be careful
> how you expose this!
> // Note: These urls should be protocol relative (start with //)
> "proxyUrl" :
> "//${Cur['default.domain.unlocked.client']}${Cur['gadgets.uri.proxy.path']}?container=%container%&refresh=%refresh%&url=%url%%rewriteMime%",
> "jsonProxyUrl" :
> "//${Cur['default.domain.locked.client']}${CONTEXT_ROOT}/gadgets/makeRequest",
> "unparseableCruft" : "throw 1; < don't be evil' >"
> },
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
