[Lift] Re: Lift security vulnerability
Thanks Joni! I appreciate the sample code. Dan On Mar 7, 8:10 am, Joni Freeman freeman.j...@gmail.com wrote: Note, it is very easy to clean up the JSON before rendering by using 'map' function: json map { case JString(s) = JString(sripOutBinaryChars(s)) case x = x } (You just need to implement that sripOutBinaryChars function...). Cheers Joni On Mar 5, 8:26 pm, Dano olearydani...@gmail.com wrote: I think I would like to amend my last post by asking if it is possible that the lift-jsonlibrary support the ability to strip out binary characters since many times an application uses the results ofJSON operations to render back to the client. Thanks. Dan On Mar 5, 9:53 am, Dano olearydani...@gmail.com wrote: I can reproduce it in our application, but I think it is not necessarily due to Lift. This is what I am trying to sort out. We have client-side javascript which is sendingJSONcommands to the server and things blow up once things come back from the server. In this case, Lift is not responsible for the rendering so I would say this is an application issue. I am poking at the demo lift application to try to flush out issues common to the group and understand what is a framework issue and what needs to be addressed by the application. Thanks. Dan On Mar 5, 9:47 am, Naftoli Gugenheim naftoli...@gmail.com wrote: Can you reproduce the vulnerability in your own M3 app? - Danoolearydani...@gmail.com wrote: I would never claim to be astute. However, I did observe that demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the bottom of the page. I also observed that the Wizard example is still broken (paste binary characters into 'First Name' and then click the Next button). I have not yet registered for an account with Assembla but would be happy to file the bug. Dan On Mar 4, 7:33 pm, Ross Mellgren dri...@gmail.com wrote: Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2
[Lift] Re: Lift security vulnerability
Note, it is very easy to clean up the JSON before rendering by using 'map' function: json map { case JString(s) = JString(sripOutBinaryChars(s)) case x = x } (You just need to implement that sripOutBinaryChars function...). Cheers Joni On Mar 5, 8:26 pm, Dano olearydani...@gmail.com wrote: I think I would like to amend my last post by asking if it is possible that the lift-jsonlibrary support the ability to strip out binary characters since many times an application uses the results ofJSON operations to render back to the client. Thanks. Dan On Mar 5, 9:53 am, Dano olearydani...@gmail.com wrote: I can reproduce it in our application, but I think it is not necessarily due to Lift. This is what I am trying to sort out. We have client-side javascript which is sendingJSONcommands to the server and things blow up once things come back from the server. In this case, Lift is not responsible for the rendering so I would say this is an application issue. I am poking at the demo lift application to try to flush out issues common to the group and understand what is a framework issue and what needs to be addressed by the application. Thanks. Dan On Mar 5, 9:47 am, Naftoli Gugenheim naftoli...@gmail.com wrote: Can you reproduce the vulnerability in your own M3 app? - Danoolearydani...@gmail.com wrote: I would never claim to be astute. However, I did observe that demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the bottom of the page. I also observed that the Wizard example is still broken (paste binary characters into 'First Name' and then click the Next button). I have not yet registered for an account with Assembla but would be happy to file the bug. Dan On Mar 4, 7:33 pm, Ross Mellgren dri...@gmail.com wrote: Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote:
[Lift] Re: Lift security vulnerability
I would never claim to be astute. However, I did observe that demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the bottom of the page. I also observed that the Wizard example is still broken (paste binary characters into 'First Name' and then click the Next button). I have not yet registered for an account with Assembla but would be happy to file the bug. Dan On Mar 4, 7:33 pm, Ross Mellgren dri...@gmail.com wrote: Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- Lift, the simply functional web frameworkhttp://liftweb.net Beginning Scalahttp://www.apress.com/book/view/1430219890 Follow me:http://twitter.com/dpp Surf the harmonics -- You received
Re: [Lift] Re: Lift security vulnerability
Can you reproduce the vulnerability in your own M3 app? - Danoolearydani...@gmail.com wrote: I would never claim to be astute. However, I did observe that demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the bottom of the page. I also observed that the Wizard example is still broken (paste binary characters into 'First Name' and then click the Next button). I have not yet registered for an account with Assembla but would be happy to file the bug. Dan On Mar 4, 7:33 pm, Ross Mellgren dri...@gmail.com wrote: Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- Lift, the simply functional web frameworkhttp://liftweb.net
[Lift] Re: Lift security vulnerability
I can reproduce it in our application, but I think it is not necessarily due to Lift. This is what I am trying to sort out. We have client-side javascript which is sending JSON commands to the server and things blow up once things come back from the server. In this case, Lift is not responsible for the rendering so I would say this is an application issue. I am poking at the demo lift application to try to flush out issues common to the group and understand what is a framework issue and what needs to be addressed by the application. Thanks. Dan On Mar 5, 9:47 am, Naftoli Gugenheim naftoli...@gmail.com wrote: Can you reproduce the vulnerability in your own M3 app? - Danoolearydani...@gmail.com wrote: I would never claim to be astute. However, I did observe that demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the bottom of the page. I also observed that the Wizard example is still broken (paste binary characters into 'First Name' and then click the Next button). I have not yet registered for an account with Assembla but would be happy to file the bug. Dan On Mar 4, 7:33 pm, Ross Mellgren dri...@gmail.com wrote: Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this
[Lift] Re: Lift security vulnerability
I think I would like to amend my last post by asking if it is possible that the lift-json library support the ability to strip out binary characters since many times an application uses the results of JSON operations to render back to the client. Thanks. Dan On Mar 5, 9:53 am, Dano olearydani...@gmail.com wrote: I can reproduce it in our application, but I think it is not necessarily due to Lift. This is what I am trying to sort out. We have client-side javascript which is sending JSON commands to the server and things blow up once things come back from the server. In this case, Lift is not responsible for the rendering so I would say this is an application issue. I am poking at the demo lift application to try to flush out issues common to the group and understand what is a framework issue and what needs to be addressed by the application. Thanks. Dan On Mar 5, 9:47 am, Naftoli Gugenheim naftoli...@gmail.com wrote: Can you reproduce the vulnerability in your own M3 app? - Danoolearydani...@gmail.com wrote: I would never claim to be astute. However, I did observe that demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the bottom of the page. I also observed that the Wizard example is still broken (paste binary characters into 'First Name' and then click the Next button). I have not yet registered for an account with Assembla but would be happy to file the bug. Dan On Mar 4, 7:33 pm, Ross Mellgren dri...@gmail.com wrote: Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to
Re: [Lift] Re: Lift security vulnerability
On Fri, Mar 5, 2010 at 9:32 AM, Dano olearydani...@gmail.com wrote: I would never claim to be astute. However, I did observe that demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the bottom of the page. I also observed that the Wizard example is still broken (paste binary characters into 'First Name' and then click the Next button). I have not yet registered for an account with Assembla but would be happy to file the bug. I don't know what you mean by pasting binary characters into a field, but I have updated the Arc Challenge code to: class ArcChallenge extends StatefulSnippet { var dispatch: DispatchIt = {case _ = xhtml = ask} def control: String = (for (i - 0 until 65000) yield i.toChar).mkString /** * Step 1: Type in a Phrase. */ def ask = { p Say Anything: {text(, p = phrase = control + p + control)} {submit(Submit, () = dispatch = {case _ = xhtml = think})} /p } /** * Step 2: Show a link that takes you to the Phrase you entered. */ def think = submit(Click here to see what you said, () = dispatch = {case _ = xhtml = answer}) /** * Step 3: Show the phrase. */ def answer = pYou said: {phrase}/p private var phrase = } } } This code inserts characters 0 - 65,000 into the string to be sent back to the browser, including every control character. Once again, if you have a reproducible case (the exact steps that someone must follow) to cause Lift to emit illegal XHTML, please open a defect on Assembla Dan On Mar 4, 7:33 pm, Ross Mellgren dri...@gmail.com wrote: Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups
Re: [Lift] Re: Lift security vulnerability
On Fri, Mar 5, 2010 at 10:26 AM, Dano olearydani...@gmail.com wrote: I think I would like to amend my last post by asking if it is possible that the lift-json library support the ability to strip out binary characters since many times an application uses the results of JSON operations to render back to the client. Control characters are legal in JSON so it's not the place of the library to strip out control characters. If you're sending JSON strings that are supposed to be valid XHTML, then it's up to your app to make sure the Strings are valid. If you are using Scala's XML literals and toString, you are hitting a bug in the XML libraries that render incorrect Strings. I have fixed the bug in the 2.8 branch, but there's no practical way to go back and make the fix part of 2.7.x. If you use Lift's AltXML library to convert the XML to String. Lift's library also has the patch to ensure that XML - String is valid per this W3C page: http://www.w3.org/International/questions/qa-controls Thanks. Dan On Mar 5, 9:53 am, Dano olearydani...@gmail.com wrote: I can reproduce it in our application, but I think it is not necessarily due to Lift. This is what I am trying to sort out. We have client-side javascript which is sending JSON commands to the server and things blow up once things come back from the server. In this case, Lift is not responsible for the rendering so I would say this is an application issue. I am poking at the demo lift application to try to flush out issues common to the group and understand what is a framework issue and what needs to be addressed by the application. Thanks. Dan On Mar 5, 9:47 am, Naftoli Gugenheim naftoli...@gmail.com wrote: Can you reproduce the vulnerability in your own M3 app? - Danoolearydani...@gmail.com wrote: I would never claim to be astute. However, I did observe that demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the bottom of the page. I also observed that the Wizard example is still broken (paste binary characters into 'First Name' and then click the Next button). I have not yet registered for an account with Assembla but would be happy to file the bug. Dan On Mar 4, 7:33 pm, Ross Mellgren dri...@gmail.com wrote: Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote:
Re: [Lift] Re: Lift security vulnerability
Agreed - it works fine even with double byte characters... Cheers, Tim On 5 Mar 2010, at 18:41, David Pollak wrote: I don't know what you mean by pasting binary characters -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
[Lift] Re: Lift security vulnerability
I should have been more clear on 'pasting binary characters'. At the url http://www.webmasterworld.com/forum39/1098.htm, they talk about an issue with binary characters. I copied the 'square character' text (which I have confirmed are binary) from that page into the Wizard example on the demo lift site. As to JSON, our client side code is sending JSON containing what the user entered in the form. Based on the above, it sounds like we should strip the binary characters when processing the JSON commands. Thanks. Dan On Mar 5, 10:49 am, David Pollak feeder.of.the.be...@gmail.com wrote: On Fri, Mar 5, 2010 at 10:26 AM, Dano olearydani...@gmail.com wrote: I think I would like to amend my last post by asking if it is possible that the lift-json library support the ability to strip out binary characters since many times an application uses the results of JSON operations to render back to the client. Control characters are legal in JSON so it's not the place of the library to strip out control characters. If you're sending JSON strings that are supposed to be valid XHTML, then it's up to your app to make sure the Strings are valid. If you are using Scala's XML literals and toString, you are hitting a bug in the XML libraries that render incorrect Strings. I have fixed the bug in the 2.8 branch, but there's no practical way to go back and make the fix part of 2.7.x. If you use Lift's AltXML library to convert the XML to String. Lift's library also has the patch to ensure that XML - String is valid per this W3C page:http://www.w3.org/International/questions/qa-controls Thanks. Dan On Mar 5, 9:53 am, Dano olearydani...@gmail.com wrote: I can reproduce it in our application, but I think it is not necessarily due to Lift. This is what I am trying to sort out. We have client-side javascript which is sending JSON commands to the server and things blow up once things come back from the server. In this case, Lift is not responsible for the rendering so I would say this is an application issue. I am poking at the demo lift application to try to flush out issues common to the group and understand what is a framework issue and what needs to be addressed by the application. Thanks. Dan On Mar 5, 9:47 am, Naftoli Gugenheim naftoli...@gmail.com wrote: Can you reproduce the vulnerability in your own M3 app? - Danoolearydani...@gmail.com wrote: I would never claim to be astute. However, I did observe that demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the bottom of the page. I also observed that the Wizard example is still broken (paste binary characters into 'First Name' and then click the Next button). I have not yet registered for an account with Assembla but would be happy to file the bug. Dan On Mar 4, 7:33 pm, Ross Mellgren dri...@gmail.com wrote: Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built
Re: [Lift] Re: Lift security vulnerability
On Fri, Mar 5, 2010 at 12:06 PM, Dano olearydani...@gmail.com wrote: I should have been more clear on 'pasting binary characters'. At the url http://www.webmasterworld.com/forum39/1098.htm, they talk about an issue with binary characters. I copied the 'square character' text (which I have confirmed are binary) from that page into the Wizard example on the demo lift site. Dan, And I did the same thing and it caused no problems. I also modified the example code to print out the characters and they were in fact control characters (1 and 4). They can through the other side (back to my browser) stripped from the XHTML. As I said, if there is a reproducible case that you can show against Lift 2.0-M3 or 2.0-SNAPSHOT, open a ticket. However, in the future, please do not expect that I'll spend any more of my time addressing your issues. David As to JSON, our client side code is sending JSON containing what the user entered in the form. Based on the above, it sounds like we should strip the binary characters when processing the JSON commands. Thanks. Dan On Mar 5, 10:49 am, David Pollak feeder.of.the.be...@gmail.com wrote: On Fri, Mar 5, 2010 at 10:26 AM, Dano olearydani...@gmail.com wrote: I think I would like to amend my last post by asking if it is possible that the lift-json library support the ability to strip out binary characters since many times an application uses the results of JSON operations to render back to the client. Control characters are legal in JSON so it's not the place of the library to strip out control characters. If you're sending JSON strings that are supposed to be valid XHTML, then it's up to your app to make sure the Strings are valid. If you are using Scala's XML literals and toString, you are hitting a bug in the XML libraries that render incorrect Strings. I have fixed the bug in the 2.8 branch, but there's no practical way to go back and make the fix part of 2.7.x. If you use Lift's AltXML library to convert the XML to String. Lift's library also has the patch to ensure that XML - String is valid per this W3C page:http://www.w3.org/International/questions/qa-controls Thanks. Dan On Mar 5, 9:53 am, Dano olearydani...@gmail.com wrote: I can reproduce it in our application, but I think it is not necessarily due to Lift. This is what I am trying to sort out. We have client-side javascript which is sending JSON commands to the server and things blow up once things come back from the server. In this case, Lift is not responsible for the rendering so I would say this is an application issue. I am poking at the demo lift application to try to flush out issues common to the group and understand what is a framework issue and what needs to be addressed by the application. Thanks. Dan On Mar 5, 9:47 am, Naftoli Gugenheim naftoli...@gmail.com wrote: Can you reproduce the vulnerability in your own M3 app? - Danoolearydani...@gmail.com wrote: I would never claim to be astute. However, I did observe that demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the bottom of the page. I also observed that the Wizard example is still broken (paste binary characters into 'First Name' and then click the Next button). I have not yet registered for an account with Assembla but would be happy to file the bug. Dan On Mar 4, 7:33 pm, Ross Mellgren dri...@gmail.com wrote: Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except
[Lift] Re: Lift security vulnerability
Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- Lift, the simply functional web frameworkhttp://liftweb.net Beginning Scalahttp://www.apress.com/book/view/1430219890 Follow me:http://twitter.com/dpp Surf the harmonics -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
Re: [Lift] Re: Lift security vulnerability
On Thu, Mar 4, 2010 at 4:33 PM, Dano olearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net And the astute and not-so-astute observer will note at the bottom of each page on demo.liftweb.net: Lift version 1.1-SNAPSHOT built on Tue Nov 24 13:58:20 PST 2009. If you have a reproducible case (running against Lift 2.0-M3 or 2.0-SNAPSHOT) of the security vulnerability, you are welcome to submit it as a ticket. and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to liftweb@googlegroups.com . To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com liftweb%2bunsubscr...@googlegroups.comliftweb%252bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com liftweb%2bunsubscr...@googlegroups.comliftweb%252bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com liftweb%2bunsubscr...@googlegroups.comliftweb%252bunsubscr...@googlegroups.com . For more options, visit this group at
Re: [Lift] Re: Lift security vulnerability
What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- Lift, the simply functional web frameworkhttp://liftweb.net Beginning Scalahttp://www.apress.com/book/view/1430219890 Follow me:http://twitter.com/dpp Surf the harmonics -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google
Re: [Lift] Re: Lift security vulnerability
Check dpp's response as of 8:01 -Ross On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote: What version is the demo running? - Danoolearydani...@gmail.com wrote: Just saw that Lift 2.0-M3 was released. I looked to see if the vulnerability was still present in demo.liftweb.net and I am still able to generate exceptions in the browser when I paste binary characters in the textfields for the Wizard, Wizard Challenge, and Arc Challenge examples in the Misc section. Don't know if this remaining problem is supposed to be handled by the application or framework, but thought I would make a post to alert the group. Dan On Feb 24, 11:49 am, Dano olearydani...@gmail.com wrote: The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to theliftdemo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know whatLiftapps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with ourLiftapplication built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala andLiftdiffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- Lift, the simply functional web frameworkhttp://liftweb.net Beginning Scalahttp://www.apress.com/book/view/1430219890 Follow me:http://twitter.com/dpp Surf the harmonics -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email
[Lift] Re: Lift security vulnerability
The recent scala days conference activity may have cause the updates to this thread to escape notice. Just wondering if there is concern about the remaining binary character problems I noted in my prior post. Thanks in advance. Dan On Feb 22, 1:34 pm, Dano olearydani...@gmail.com wrote: More information on this in case anyone is interested. If you go to the lift demo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know what Lift apps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with our Lift application built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala and Lift diffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- Lift, the simply functional web frameworkhttp://liftweb.net Beginning Scalahttp://www.apress.com/book/view/1430219890 Follow me:http://twitter.com/dpp Surf the harmonics -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
[Lift] Re: Lift security vulnerability
More information on this in case anyone is interested. If you go to the lift demo website, it appears the issue with characters is mostly addressed except for the Misc code section. Specifically, the Wizard, Wizard Challenge and Arc Challenge #1 examples will generate XML parsing errors. For these problems, I am not sure if the issue if the example or the framework. If the issue is with the example, it would be good to know what Lift apps need to do to avoid getting bitten by binary characters entered into form fields. Thanks in advance. Dan On Feb 17, 11:06 am, Dano olearydani...@gmail.com wrote: Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with our Lift application built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala and Lift diffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- Lift, the simply functional web frameworkhttp://liftweb.net Beginning Scalahttp://www.apress.com/book/view/1430219890 Follow me:http://twitter.com/dpp Surf the harmonics -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
[Lift] Re: Lift security vulnerability
Hello, I was wondering if the fix for the control characters issue was included in 2.0-M2. I just did a test with our Lift application built with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions - NS_ERROR_INVALID_POINTER). Thanks in advance. Dan On Feb 3, 9:08 am, David Pollak feeder.of.the.be...@gmail.com wrote: Thanks for pointing that out. There are other problems as well... I'll fix them (in both the Scala and Lift diffs) On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang sharpzh...@gmail.com wrote: I found that in the fix, \n is changed to \t, while \t to \n. Is this desired behavior? Thank you, Feng On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri indraj...@gmail.com wrote: 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2. 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this vulnerability fix isn't fun. Cheers, Indrajit On 03/02/10 3:34 PM, Timothy Perrett wrote: +1 Fix it in head, no need to back-port; M2 is only around the corner. Cheers, Tim On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote: David Pollakfeeder.of.the.be...@gmail.com writes: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. For me, it's fix it in 2.0-SNAPSHOT /Jeppe -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.comliftweb%2bunsubscr...@googlegroups.com . For more options, visit this group at http://groups.google.com/group/liftweb?hl=en. -- Lift, the simply functional web frameworkhttp://liftweb.net Beginning Scalahttp://www.apress.com/book/view/1430219890 Follow me:http://twitter.com/dpp Surf the harmonics -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.
[Lift] Re: Lift security vulnerability
On Feb 2, 4:57 pm, David Pollak feeder.of.the.be...@gmail.com wrote: I'd like to get a sense of how important the community views this defect. Is it a backport the fix to every milestone and release yesterday or is it a fix it in 2.0-M2 or someplace in between. I vote for 2.0-M2. -- You received this message because you are subscribed to the Google Groups Lift group. To post to this group, send email to lift...@googlegroups.com. To unsubscribe from this group, send email to liftweb+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/liftweb?hl=en.