The xml spec only allows tab, cr, and lf... no other control chars. The defect is in the scala.xml.Utility.escape method
This method is an amazing piece of crap... every character in the string is wrapped in a Character object and then wrapped in a Cons cell. The fix will improve performance radically. Connected by MOTOBLUR™ on T-Mobile -----Original message----- From: Naftoli Gugenheim <naftoli...@gmail.com> To: liftweb <liftweb@googlegroups.com> Sent: Wed, Feb 3, 2010 01:31:24 GMT+00:00 Subject: Re: [Lift] Lift security vulnerability If you scan the whole page wouldn't it affect performance? Or will you put a safeguard in the input field / processing query parameters? 2010/2/2 Naftoli Gugenheim <naftoli...@gmail.com>: > Is that not a defect of the browsers? > > On Tue, Feb 2, 2010 at 7:57 PM, David Pollak <feeder.of.the.be...@gmail.com> > wrote: >> Folks, >> >> Turns out there's a security vulnerability in Lift. It's possible to insert >> control characters into input fields. When the control characters are sent >> back to the browser, the browser will choke. An example can be seen at >> http://demo.liftweb.net Go to that page, enter your name in the chat input >> box and then reload the page. In Firefox, the page will not be rendered at >> all. In Chrome, rendering will stop at the point that the control character >> is encountered. This can cause a denial of service attack on any page that >> contains user input. >> >> I will work on a fix for this vulnerability (filter control characters other >> than \n and \r from Text fields when the page is being sent back to the >> browser.) >> >> I'd like to get a sense of how important the community views this defect. >> Is it a "backport the fix to every milestone and release yesterday" or is it >> a "fix it in 2.0-M2" or someplace in between. >> >> Thanks, >> >> David >> >> -- >> Lift, the simply functional web framework http://liftweb.net >> Beginning Scala http://www.apress.com/book/view/1430219890 >> Follow me: http://twitter.com/dpp >> Surf the harmonics >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Lift" group. >> To post to this group, send email to lift...@googlegroups.com. >> To unsubscribe from this group, send email to >> liftweb+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/liftweb?hl=en. >> > > -- You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
