On Tue, Feb 2, 2010 at 5:43 PM, David Pollak <[email protected]>wrote:
> The xml spec only allows tab, cr, and lf... no other control chars. > > The defect is in the scala.xml.Utility.escape method > > This method is an amazing piece of crap... every character in the string is > wrapped in a Character object and then wrapped in a Cons cell. > Okay... I was wrong about this... the RichString.elements method returns an Iterator. My patch gives a 3x performance improvement over Scala 2.7.7 and a 4x improvement over 2.8. The patch is submitted: http://lampsvn.epfl.ch/trac/scala/ticket/3014 I will also put a patch to Lift on review board in a few minutes. > > The fix will improve performance radically. > > *Connected by MOTOBLURâ„¢ on T-Mobile > * > > -----Original message----- > > *From: *Naftoli Gugenheim <[email protected]>* > To: *liftweb <[email protected]>* > Sent: *Wed, Feb 3, 2010 01:31:24 GMT+00:00* > Subject: *Re: [Lift] Lift security vulnerability > > If you scan the whole page wouldn't it affect performance? Or will you > put a safeguard in the input field / processing query parameters? > > 2010/2/2 Naftoli Gugenheim : > > > Is that not a defect of the browsers? > > > > On Tue, Feb 2, 2010 at 7:57 PM, David Pollak wrote: > >> Folks, > >> > >> Turns out there's a security vulnerability in Lift. It's possible to > insert > >> control characters into input fields. When the control characters are > sent > >> back to the browser, the browser will choke. An example can be seen at > >> http://demo.liftweb.net Go to that page, enter your name in the chat > input > >> box and then reload the page. In Firefox, the page will not be rendered > at > >> all. In Chrome, rendering will stop at the point that the control > character > >> is encountered. This can cause a denial of service attack on any page > that > >> contains user input. > >> > >> I will work on a fix for this vulnerability (filter control characters > other > >> than \n and \r from Text fields when the page is being sent back to the > >> browser.) > >> > >> I'd like to get a sense of how important the community views this > defect. > >> Is it a "backport the fix to every milestone and release yesterday" or > is it > >> a "fix it in 2.0-M2" or someplace in between. > >> > >> Thanks, > >> > >> David > >> > >> -- > >> Lift, the simply functional web framework http://liftweb.net > >> Beginning Scala http://www.apress.com/book/view/1430219890 > >> Follow me: http://twitter.com/dpp > >> Surf the harmonics > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Lift" group. > >> To post to this group, send email to [email protected]. > >> To unsubscribe from this group, send email to > >> [email protected]<liftweb%[email protected]> > . > >> For more options, visit this group at > >> http://groups.google.com/group/liftweb?hl=en. > >> > > > > > > -- > You received this message because you are subscribed to the Google Groups > "Lift" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]<liftweb%[email protected]> > . > For more options, visit this group at > http://groups.google.com/group/liftweb?hl=en. > > -- Lift, the simply functional web framework http://liftweb.net Beginning Scala http://www.apress.com/book/view/1430219890 Follow me: http://twitter.com/dpp Surf the harmonics -- You received this message because you are subscribed to the Google Groups "Lift" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
