Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(88)
Issues Repositories Search
Open Issues | Closed Issues | All Issues | Sign in with your Google Account to create issues and add comments

Issue 7001045: Fix another setTimeout-derived security bug. (Closed)

Can't Edit
Can't Publish+Mail
Start Review
Created:
12 years, 8 months ago by kpreid2
Modified:
12 years, 7 months ago
Reviewers:
metaweta
CC:
caja-discuss-undisclosed_googlegroups.com, MarkM, felix8a, ihab.awad, Jasvir, kpreid2, metaweta, MikeSamuel
Base URL:
http://google-caja.googlecode.com/svn/trunk/
Visibility:
Public.

Description

The guest-provided value of (virtual) window.onload was passed to setTimeout without verification, allowing a string to be passed in and thus evaluated in the host page context. All occurrences of setTimeout with guest-provided callbacks in Domado have now been funneled through the tamed setTimeout. Only window.onload was specifically vulnerable, but I have changed the others to gain the other robustness benefits outlined in tameSetAndClear.

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+3 lines, -3 lines) Patch
M src/com/google/caja/plugin/domado.js View 1 chunk +3 lines, -3 lines 0 comments Download

Messages

Total messages: 3
kpreid2
12 years, 8 months ago (2012-12-21 01:32:26 UTC) #1
metaweta
Is there anything we can do to prevent future uses of window.setTimeout?
12 years, 8 months ago (2012-12-21 01:35:59 UTC) #2
metaweta
12 years, 8 months ago (2012-12-21 01:40:05 UTC) #3 
lgtm
Sign in to reply to this message.

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b