[mochikit] Base.js unescape reassignment and intrusion protection systems
I have found a problem with MochiKit Base.js and the intrusion protection system at work. The IPS truncates Base.js because it assigns the unescape() function to a variable (in parseQueryString(), line 1225 in version 1.4.2 of Base.js). The IPS response is documented here: http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape_Obfuscation.htm Has anybody else seen this behaviour? Could the code be re-written to not use that reassignment? (I discovered this because MarkMail does not work, and it uses a compressed version of MochiKit 1.4.) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups MochiKit group. To post to this group, send email to mochikit@googlegroups.com To unsubscribe from this group, send email to mochikit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/mochikit?hl=en -~--~~~~--~~--~--~---
[mochikit] Re: Base.js unescape reassignment and intrusion protection systems
The reassignment is for backwards compability if I understand it correctly: if (typeof(decodeURIComponent) != undefined) { decode = decodeURIComponent; } else { decode = unescape; } From the JavaScript 1.5 guide at Mozilla: The escape and unescape functions do not work properly for non-ASCII characters and have been deprecated. In JavaScript 1.5 and later, use encodeURI, decodeURI, encodeURIComponent, and decodeURIComponent. https://developer.mozilla.org/En/Core_JavaScript_1.5_Guide/Predefined_Functions/Escape_and_unescape_Functions I don't see any good alternative solutions here. Perhaps the IDS should be forced to allow a few exceptions? Cheers, /Per On Fri, Jul 17, 2009 at 03:34, Michaelmstras...@gmail.com wrote: I have found a problem with MochiKit Base.js and the intrusion protection system at work. The IPS truncates Base.js because it assigns the unescape() function to a variable (in parseQueryString(), line 1225 in version 1.4.2 of Base.js). The IPS response is documented here: http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape_Obfuscation.htm Has anybody else seen this behaviour? Could the code be re-written to not use that reassignment? (I discovered this because MarkMail does not work, and it uses a compressed version of MochiKit 1.4.) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups MochiKit group. To post to this group, send email to mochikit@googlegroups.com To unsubscribe from this group, send email to mochikit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/mochikit?hl=en -~--~~~~--~~--~--~---
[mochikit] Re: Base.js unescape reassignment and intrusion protection systems
There are various ways it could be rewritten, but without knowing exactly how stupid the IPS is it's hard to say which permutation would pass its test. Someone who can reproduce this issue should spend some time with it and produce a patch. On Thu, Jul 16, 2009 at 6:34 PM, Michaelmstras...@gmail.com wrote: I have found a problem with MochiKit Base.js and the intrusion protection system at work. The IPS truncates Base.js because it assigns the unescape() function to a variable (in parseQueryString(), line 1225 in version 1.4.2 of Base.js). The IPS response is documented here: http://www.iss.net/security_center/reference/vuln/JavaScript_Unescape_Obfuscation.htm Has anybody else seen this behaviour? Could the code be re-written to not use that reassignment? (I discovered this because MarkMail does not work, and it uses a compressed version of MochiKit 1.4.) --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups MochiKit group. To post to this group, send email to mochikit@googlegroups.com To unsubscribe from this group, send email to mochikit+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/mochikit?hl=en -~--~~~~--~~--~--~---