shindig-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "jiraposter@reviews.apache.org (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SHINDIG-1765) Replace the unparseable cruft message "throw 1; < don't be evil' >" constant in client and server with a container config
Date Wed, 09 May 2012 11:43:52 GMT

    [ https://issues.apache.org/jira/browse/SHINDIG-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13271340#comment-13271340
] 

jiraposter@reviews.apache.org commented on SHINDIG-1765:
--------------------------------------------------------


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/5011/#review7730
-----------------------------------------------------------

Ship it!


LGTM.  Please add the shindig group for review.

- Stanton


On 2012-05-09 02:21:04, Marshall Shi wrote:
bq.  
bq.  -----------------------------------------------------------
bq.  This is an automatically generated e-mail. To reply, visit:
bq.  https://reviews.apache.org/r/5011/
bq.  -----------------------------------------------------------
bq.  
bq.  (Updated 2012-05-09 02:21:04)
bq.  
bq.  
bq.  Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.
bq.  
bq.  
bq.  Summary
bq.  -------
bq.  
bq.  The gadget io request will inject a unparseable cruft message "throw 1; < don't be
evil' >" in the response content intentionally for security reasons.
bq.  However, this "throw 1; < don't be evil' >" string has been hardcoded in:
bq.  features/src/main/javascript/features/core.io/io.js
bq.  java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java
bq.  
bq.  It would be good to extract the message into a container config, so:
bq.  - client and server can reuse the same message.
bq.  - Shindig consumers can replace the message with their own. 
bq.  
bq.  
bq.  This addresses bug SHINDIG-1765.
bq.      https://issues.apache.org/jira/browse/SHINDIG-1765
bq.  
bq.  
bq.  Diffs
bq.  -----
bq.  
bq.    http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js
1333012 
bq.    http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js
1333012 
bq.    http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java
1333012 
bq.    http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java
1333012 
bq.    http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java
1333012 
bq.    http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 
bq.  
bq.  Diff: https://reviews.apache.org/r/5011/diff
bq.  
bq.  
bq.  Testing
bq.  -------
bq.  
bq.  Tested by trying a few other messages in the container.js, the replaced message show
up in the response correctly.
bq.  
bq.  
bq.  Thanks,
bq.  
bq.  Marshall
bq.  
bq.


                
> Replace the unparseable cruft message "throw 1; < don't be evil' >" constant in
client and server with a container config
> -------------------------------------------------------------------------------------------------------------------------
>
>                 Key: SHINDIG-1765
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1765
>             Project: Shindig
>          Issue Type: Improvement
>          Components: Java
>    Affects Versions: 2.5.0
>            Reporter: Marshall Shi
>             Fix For: 2.5.0
>
>   Original Estimate: 4h
>  Remaining Estimate: 4h
>
> The gadget io request will inject a unparseable cruft message "throw 1; < don't be
evil' >" in the response content intentionally for security reasons. 
> However, this "throw 1; < don't be evil' >" string has been hardcoded in:
> features/src/main/javascript/features/core.io/io.js
> java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java
> It would be good to extract the message into a container config, so:
> - client and server can reuse the same message.
> - Shindig consumers can replace the message with their own.
> The new config can be added into gadgets.features.core.io in container.js, as shown below

> "gadgets.features" : {
>   "core.io" : {
>     // Note: ${Cur['gadgets.uri.proxy.path']} is an open proxy. Be careful how you expose
this!
>     // Note: These urls should be protocol relative (start with //)
>     "proxyUrl" : "//${Cur['default.domain.unlocked.client']}${Cur['gadgets.uri.proxy.path']}?container=%container%&refresh=%refresh%&url=%url%%rewriteMime%",
>     "jsonProxyUrl" : "//${Cur['default.domain.locked.client']}${CONTEXT_ROOT}/gadgets/makeRequest",
>     "unparseableCruft" : "throw 1; < don't be evil' >"
>   },

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message