From 7295eece099f6c27b43afa4589cbd8c5f01a806e Mon Sep 17 00:00:00 2001 From: Brett Zamir Date: Mon, 10 Feb 2014 05:33:05 +0000 Subject: [PATCH] Potentially breaking change: Prevent setting of extPath via URL and prevent setting of cross-domain or cross-folder extensions via URL, i.e., if the extensions string possesses the character ":", "/", or, to be extra safe, "\", (issue #4 of mailing list post "Agenda for resolving security issues"). extPath and extensions can still be meaningfully set freely via setConfig calls, e.g., "svgCanvas.setConfig({extPath: ..., extensions: ...});" if made before Editor.init() is called in svg-editor.js (which is called on a jQuery ready (i.e., DOMContentLoaded) event). To avoid modifying svg-editor.html, one could build an extension which loaded its own scripts as done by the simple extFunc() function in svg-editor.js, but this would occur a little later (Should we export extFunc() for this usage?). git-svn-id: http://svg-edit.googlecode.com/svn/trunk@2671 eee81c28-f429-11dd-99c0-75d572ba1ddd --- editor/svg-editor.js | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/editor/svg-editor.js b/editor/svg-editor.js index 5cab05f2..1a027393 100644 --- a/editor/svg-editor.js +++ b/editor/svg-editor.js @@ -234,17 +234,21 @@ urldata.dimensions = urldata.dimensions.split(','); } - if (urldata.extensions) { - // For security reasons, disallow cross-domain extensions via URL - urldata.extensions = (urldata.extensions.indexOf(':') > -1) ? '' : urldata.extensions.split(','); - } - if (urldata.bkgd_color) { urldata.bkgd_color = '#' + urldata.bkgd_color; } - if (urldata.extPath && urldata.extPath.indexOf(':') > -1) { // For security reasons, disallow cross-domain extension path via URL - delete urldata.extPath; + if (urldata.extensions) { + // For security reasons, disallow cross-domain or cross-folder extensions via URL + urldata.extensions = urldata.extensions.match(/[:\/\\]/) ? '' : urldata.extensions.split(','); + } + + // Disallowing extension paths via URL for + // security reasons, even for same-domain + // ones given potential to interact in undesirable + // ways with other script resources + if (urldata.extPath) { + delete urldata.extPath; } svgEditor.setConfig(urldata);