Does Shindig have any code to prevent behind the firewall attacks like what was described in the OpenSocial Spec discussion?
Quote from Paul Linder: You have to be very careful with redirects. If your http client library follows redirects you can open potential security holes. Consider the following scenario: 1. Your fetch client forbids requests to internal networks like 127.0.0.1 2. A malicious user creates a public endpoint that redirects to 127.0.0.1 3. Your http client implementation blindly follows redirects. By following redirects you negate all your careful checking in step 1. Even worse if you have a stupid fetch library you could follow a redirect to file:///etc/passwd -----Original Message----- From: John Hjelmstad [mailto:fa...@google.com] Sent: Monday, November 16, 2009 2:33 PM To: shindig-dev@incubator.apache.org Subject: Re: 3xx shouldn't be classified as errors in gadgets.io.makeRequest @see http://groups.google.com/group/opensocial-and-gadgets-spec/browse_thread /thread/716acaa66ceba244 Seems to me that adding a FOLLOW_REDIRECTS option to makeRequest's params would make sense, assuming all security concerns are resolved. --j On Mon, Nov 16, 2009 at 2:28 PM, Randy Hudson <huds...@us.ibm.com> wrote: > It would be great if developing/migrating a Web UI for use as a Gadget > imposed the smallest possible "penalty". For the most part, > makeRequest is the alternative to what would have been done via > XmlHttpRequest in the original, "standalone" version of the same web > app. To me, this suggests that gadgets.io.makeRequest should emulate > the behavior of XmlHttpRequest as much as possible, including > following redirects (to locations at the same host). > > Developers migrating existing apps to run as a gadget may choose to > wrapper XmlHttpRequest (or existing equivalent, e.g. dojo.xhr) instead > of changing all of their code that makes such calls. This approach > also makes it possible to reuse code in both remote (i.e. in a gadget > container) and local contexts. > > If makeRequest doesn't follow redirects, even developers starting from > scratch would be encouraged to wrapper makeRequest with their own utility. > I wouldn't want to write javascript to follow redirects while > detecting redirect cycles every time I do XHR. > > -Randy Hudson > > > > From: > John Hjelmstad <johnfa...@gmail.com> > To: > johnfa...@gmail.com, shindig.remai...@gmail.com, bea...@google.com, > jon.weyga...@gmail.com > Date: > 11/11/2009 04:33 PM > Subject: > Re: 3xx shouldn't be classified as errors in gadgets.io.makeRequest > > > > On Wed, Nov 11, 2009 at 12:54 PM, <jon.weyga...@gmail.com> wrote: > > > Is it clear from the OS specification that redirects should (or > > should not be) followed? > > > > Not too sure... > > > > > > Would this be something that we would want to add, along with > > perhaps a parameter to turn it on/off? > > > ...but I'd be in favor of this. > > > > > > > > http://codereview.appspot.com/152070 > > > >
