NotificationsYou must be signed in to change notification settings
Fork31
Star61

Commit9c2d325

zhourenjian

committed

Fixing cross site scripting's domain problem

1 parent7aa19fe commit9c2d325Copy full SHA for 9c2d325

File tree

4 files changed

+106

-39

lines changed

sources/net.sf.j2s.ajax
- ajaxpipe/net/sf/j2s/ajax
  - SimplePipeRequest.java
- ajaxrpc/net/sf/j2s/ajax
  - SimpleRPCRequest.java
- store/net/sf/j2s/store
  - SimpleStore.java
  - XSSCookieStore.java

4 files changed

+106

-39

lines changed

`‎sources/net.sf.j2s.ajax/ajaxpipe/net/sf/j2s/ajax/SimplePipeRequest.java‎`

Lines changed: 79 additions & 33 deletions

Original file line number	Diff line number	Diff line change
`@@ -335,32 +335,41 @@ public void onLoaded() {`
`335`	`335`	`}`
`336`	`336`	`var map = net.sf.j2s.ajax.SimplePipeRequest.pipeScriptMap;`
`337`	`337`	`var pipe = map[url];`
`338`		`-if (pipe != null) {`
	`338`	`+if (pipe != null && pipeID != null && pipeID.length > 0) {`
`339`	`339`	`var stillExistedRequest = false;`
`340`		`-var idPrefix =iframeID;`
`341`		`-var idx =iframeID.lastIndexOf ("-");`
	`340`	`+var idPrefix =pipeID;`
	`341`	`+var idx =pipeID.lastIndexOf ("-");`
`342`	`342`	`if (idx != -1) {`
`343`		`-idPrefix =iframeID.substring (0, idx);`
	`343`	`+idPrefix =pipeID.substring (0, idx);`
`344`	`344`	`}`
`345`	`345`	`var iframes = document.getElementsByTagName ("IFRAME");`
`346`	`346`	`for (var i = 0; i < iframes.length; i++) {`
`347`	`347`	`var el = iframes[i];`
`348`	`348`	`if (el.id != null && el.id.indexOf (idPrefix) == 0) {`
`349`		`-alert ("exist request!");`
`350`	`349`	`stillExistedRequest = true;`
`351`	`350`	`break;`
`352`	`351`	`}`
`353`	`352`	`}`
	`353`	`+if (!stillExistedRequest) {`
	`354`	`+var scripts = document.getElementsByTagName ("SCRIPT");`
	`355`	`+for (var i = 0; i < scripts.length; i++) {`
	`356`	`+var el = scripts[i];`
	`357`	`+if (el.id != null && el.id.indexOf (idPrefix) == 0) {`
	`358`	`+stillExistedRequest = true;`
	`359`	`+break;`
	`360`	`+}`
	`361`	`+}`
	`362`	`+}`
`354`	`363`	`pipe.queryEnded = !stillExistedRequest;`
`355`	`364`	`delete map[url];`
`356`	`365`	`}`
`357`	`366`	`*/`
`358`		`-nativestaticvoidupdatePipeByURL(StringiframeID,Stringurl);`
	`367`	`+nativestaticvoidupdatePipeByURL(StringpipeID,Stringurl);`
`359`	`368`
`360`	`369`	`/**`
`361`	`370`	`* @j2sNative`
`362`	`371`	`return function () {`
`363`		`-if (iframeID != null) {`
	`372`	`+if (pipeID != null) {`
`364`	`373`	`var pw = window.parent;`
`365`	`374`	`if (pw == null \|\| pw["net"] == null) return;`
`366`	`375`	`if (!pw.net.sf.j2s.ajax.SimpleRPCRequest.cleanUp(this)) {`
`@@ -369,11 +378,11 @@ public void onLoaded() {`
`369`	`378`	`var url = this.url;`
`370`	`379`	`this.url = null;`
`371`	`380`	`document.getElementsByTagName ("HEAD")[0].removeChild (this);`
`372`		`-var iframe = pw.document.getElementById (iframeID);`
	`381`	`+var iframe = pw.document.getElementById (pipeID);`
`373`	`382`	`if (iframe != null) {`
`374`	`383`	`iframe.parentNode.removeChild (iframe);`
`375`	`384`	`}`
`376`		`-pw.net.sf.j2s.ajax.SimplePipeRequest.updatePipeByURL (iframeID, url);`
	`385`	`+pw.net.sf.j2s.ajax.SimplePipeRequest.updatePipeByURL (pipeID, url);`
`377`	`386`	`} else {`
`378`	`387`	`if (window == null \|\| window["net"] == null) return;`
`379`	`388`	`if (!net.sf.j2s.ajax.SimpleRPCRequest.cleanUp(this)) {`
`@@ -382,11 +391,11 @@ public void onLoaded() {`
`382`	`391`	`var url = this.url;`
`383`	`392`	`this.url = null;`
`384`	`393`	`document.getElementsByTagName ("HEAD")[0].removeChild (this);`
`385`		`-net.sf.j2s.ajax.SimplePipeRequest.updatePipeByURL (iframeID, url);`
	`394`	`+net.sf.j2s.ajax.SimplePipeRequest.updatePipeByURL (pipeID, url);`
`386`	`395`	`}`
`387`	`396`	`};`
`388`	`397`	`*/`
`389`		`-nativestaticObjectgeneratePipeScriptCallback(StringiframeID);`
	`398`	`+nativestaticObjectgeneratePipeScriptCallback(StringpipeID);`
`390`	`399`
`391`	`400`	`/**`
`392`	`401`	`* Load or send data for pipe using SCRIPT tag.`
`@@ -398,11 +407,14 @@ public void onLoaded() {`
`398`	`407`	`script.type = "text/javascript";`
`399`	`408`	`script.src = url;`
`400`	`409`	`script.url = url;`
`401`		`-var iframeID = arguments[1];`
	`410`	`+var pipeID = arguments[1];`
	`411`	`+if (pipeID != null && pipeID.length > 0) {`
	`412`	`+script.id = pipeID;`
	`413`	`+}`
`402`	`414`	`var userAgent = navigator.userAgent.toLowerCase ();`
`403`	`415`	`var isOpera = (userAgent.indexOf ("opera") != -1);`
`404`	`416`	`var isIE = (userAgent.indexOf ("msie") != -1) && !isOpera;`
`405`		`-var fun = net.sf.j2s.ajax.SimplePipeRequest.generatePipeScriptCallback (iframeID);`
	`417`	`+var fun = net.sf.j2s.ajax.SimplePipeRequest.generatePipeScriptCallback (pipeID);`
`406`	`418`	`script.defer = true;`
`407`	`419`	`if (typeof (script.onreadystatechange) == "undefined" \|\| !isIE) { // W3C`
`408`	`420`	`script.onload = script.onerror = fun;`
`@@ -422,11 +434,11 @@ public void onLoaded() {`
`422`	`434`	`* @j2sNative`
`423`	`435`	`var iframe = document.createElement ("IFRAME");`
`424`	`436`	`iframe.style.display = "none";`
`425`		`-variframeID = null;`
	`437`	`+varpipeID = null;`
`426`	`438`	`do {`
`427`		`-iframeID = "pipe-script-" + pipeKey + "-" + Math.round (10000000 * Math.random ());`
`428`		`-} while (document.getElementById (iframeID) != null);`
`429`		`-iframe.id =iframeID;`
	`439`	`+pipeID = "pipe-script-" + pipeKey + "-" + Math.round (10000000 * Math.random ());`
	`440`	`+} while (document.getElementById (pipeID) != null);`
	`441`	`+iframe.id =pipeID;`
`430`	`442`	`document.body.appendChild (iframe);`
`431`	`443`	`var html = "<html><head><title></title>";`
`432`	`444`	`html += "<script type=\"text/javascript\">\r\n";`
`@@ -445,7 +457,7 @@ public void onLoaded() {`
`445`	`457`	`html += "window.setTimeout (function () {\r\n";`
`446`	`458`	`html += "net = { sf : { j2s : { ajax : { SimplePipeRequest : { generatePipeScriptCallback : " + net.sf.j2s.ajax.SimplePipeRequest.generatePipeScriptCallback + " } } } } };\r\n";`
`447`	`459`	`html += "(" + net.sf.j2s.ajax.SimplePipeRequest.loadPipeScript + ") (";`
`448`		`-html += "\"" + url.replace (/"/g, "\\\"") + "\", \"" +iframeID + "\"";`
	`460`	`+html += "\"" + url.replace (/"/g, "\\\"") + "\", \"" +pipeID + "\"";`
`449`	`461`	`html += ");\r\n";`
`450`	`462`	`if (ClassLoader.isOpera)`
`451`	`463`	`html += "}, " + (net.sf.j2s.ajax.SimplePipeRequest.pipeQueryInterval >> 2) + ");\r\n";`
`@@ -460,8 +472,11 @@ public void onLoaded() {`
`460`	`472`	`try {`
`461`	`473`	`var doc = handle.contentWindow.document;`
`462`	`474`	`doc.open ();`
`463`		`-if (ClazzLoader.isIE) {`
`464`		`-doc.domain = domain;`
	`475`	`+if (ClazzLoader.isIE && window["xss.domain.enabled"] == true`
	`476`	`+&& domain != null && domain.length > 0) {`
	`477`	`+try {`
	`478`	`+doc.domain = domain;`
	`479`	`+} catch (e) {}`
`465`	`480`	`}`
`466`	`481`	`doc.write (html);`
`467`	`482`	`doc.close ();`
`@@ -473,20 +488,25 @@ public void onLoaded() {`
`473`	`488`	`}`
`474`	`489`	`};`
`475`	`490`	`*/`
`476`		`-nativestaticObjectgenerateLazyIframeWriting(Objecthandle,Stringhtml);`
	`491`	`+nativestaticObjectgenerateLazyIframeWriting(Objecthandle,Stringdomain,Stringhtml);`
`477`	`492`
`478`	`493`	`/**`
`479`	`494`	`* @param handle`
`480`	`495`	`* @param html`
`481`	`496`	`* @j2sNative`
`482`	`497`	`var handle = arguments[0];`
`483`	`498`	`var html = arguments[1];`
`484`		`-var domain = document.domain;`
`485`		`-if (ClazzLoader.isIE) {`
	`499`	`+var domain = null;`
	`500`	`+try {`
	`501`	`+domain = document.domain;`
	`502`	`+} catch (e) {}`
	`503`	`+if (ClazzLoader.isIE && window["xss.domain.enabled"] == true`
	`504`	`+&& domain != null && domain.length > 0) {`
`486`	`505`	`document.domain = domain;`
`487`	`506`	`}`
`488`	`507`	`if (handle.contentWindow != null) {`
`489`		`-if (ClazzLoader.isIE) {`
	`508`	`+if (ClazzLoader.isIE && window["xss.domain.enabled"] == true`
	`509`	`+&& domain != null && domain.length > 0) {`
`490`	`510`	`handle.contentWindow.location = "#"diff-2e9546028b439e47f10ae82136efc33ec50c92cf5b35c65c7dcc1f29b1e3c818-491-511-0" data-selected="false" role="gridcell" tabindex="-1" valign="top">491`	`511`	`} else {`
`492`	`512`	`handle.contentWindow.location = "about:blank";`
`@@ -497,18 +517,20 @@ public void onLoaded() {`
`497`	`517`	`try {`
`498`	`518`	`var doc = handle.contentWindow.document;`
`499`	`519`	`doc.open ();`
`500`		`-if (ClazzLoader.isIE) {`
	`520`	`+if (ClazzLoader.isIE && window["xss.domain.enabled"] == true`
	`521`	`+&& domain != null && domain.length > 0) {`
`501`	`522`	`doc.domain = domain;`
`502`	`523`	`}`
`503`	`524`	`doc.write (html);`
`504`	`525`	`doc.close ();`
`505`	`526`	`} catch (e) {`
`506`		`-window.setTimeout (net.sf.j2s.ajax.SimplePipeRequest.generateLazyIframeWriting (handle, html), 25);`
	`527`	`+window.setTimeout (net.sf.j2s.ajax.SimplePipeRequest.generateLazyIframeWriting (handle,domain,html), 25);`
`507`	`528`	`}`
`508`	`529`	`*/`
`509`	`530`	`nativestaticvoidiframeDocumentWrite(Objecthandle,Stringhtml);`
`510`	`531`
`511`	`532`	`staticvoidpipeScript(SimplePipeRunnablerunnable) {// xss`
	`533`	`+// only for JavaScript`
`512`	`534`	`Stringurl =runnable.getPipeURL();`
`513`	`535`	`StringrequestURL =url + (url.indexOf('?') != -1 ?"&" :"?")`
`514`	`536`	`+constructRequest(runnable.pipeKey,PIPE_TYPE_XSS,true);`
`@@ -517,12 +539,32 @@ static void pipeScript(SimplePipeRunnable runnable) { // xss`
`517`	`539`	`* net.sf.j2s.ajax.SimplePipeRequest.pipeScriptMap[requestURL] = runnable;`
`518`	`540`	`*/ {}`
`519`	`541`	`if (isXSSMode(url)) {`
`520`		`-// in xss mode, iframe is used to avoid blocking other *.js loading`
`521`		`-loadPipeIFrameScript(runnable.pipeKey,requestURL);`
`522`		`-return;`
	`542`	`+booleanok4IFrameScript =true;`
	`543`	`+/**`
	`544`	`+ * @j2sNative`
	`545`	`+ * var domain = null;`
	`546`	`+ * try {`
	`547`	`+ * domain = document.domain;`
	`548`	`+ * } catch (e) {`
	`549`	`+ * }`
	`550`	`+ * ok4IFrameScript = domain != null && domain.length > 0;`
	`551`	`+ */ {}`
	`552`	`+if (ok4IFrameScript) {`
	`553`	`+// in xss mode, iframe is used to avoid blocking other *.js loading`
	`554`	`+loadPipeIFrameScript(runnable.pipeKey,requestURL);`
	`555`	`+return;`
	`556`	`+}`
`523`	`557`	`}`
`524`		`-loadPipeScript(requestURL);// never reach here? March 5, 2009`
`525`		`-// only for JavaScript`
	`558`	`+/**`
	`559`	`+ * @j2sNative`
	`560`	`+ * var pipeID = null;`
	`561`	`+ * do {`
	`562`	`+ * pipeID = "pipe-script-" + runnable.pipeKey + "-" + Math.round (10000000 * Math.random ());`
	`563`	`+ * } while (document.getElementById (pipeID) != null);`
	`564`	`+ * net.sf.j2s.ajax.SimplePipeRequest.loadPipeScript(requestURL, pipeID);`
	`565`	`+ */ {`
	`566`	`+loadPipeScript(requestURL);// reach here for about:blank page. April 8, 2010`
	`567`	`+ }`
`526`	`568`	`}`
`527`	`569`
`528`	`570`	`/**`
`@@ -645,6 +687,7 @@ public void onLoaded() {`
`645`	`687`	`var url = runnable.getPipeURL();`
`646`	`688`	`if (subdomain == null) {`
`647`	`689`	`document.domain = document.domain;`
	`690`	`+window["xss.domain.enabled"] = true;`
`648`	`691`	`}`
`649`	`692`	`ifr.src = url + (url.indexOf('?') != -1 ? "&" : "?")`
`650`	`693`	`+ spr.constructRequest(pipeKey, spr.PIPE_TYPE_SCRIPT, true)`
`@@ -666,7 +709,7 @@ public void onLoaded() {`
`666`	`709`	`if (last == -1) {`
`667`	`710`	`last = created;`
`668`	`711`	`}`
`669`		`-if (now - last >4 * spr.pipeLiveNotifyInterval) {`
	`712`	`+if (now - last >3 * spr.pipeLiveNotifyInterval) {`
`670`	`713`	`runnable.pipeAlive = false;`
`671`	`714`	`runnable.pipeClosed();`
`672`	`715`	`sph.removePipe(key);`
`@@ -912,13 +955,16 @@ static int restStringIndex(final String string, int start) {`
`912`	`955`	`* @j2sNative`
`913`	`956`	`* var subdomain = null;`
`914`	`957`	`* if (isSubdomain) {`
`915`		`- * subdomain = window.location.host;`
	`958`	`+ * try {`
	`959`	`+ * subdomain = window.location.host;`
	`960`	`+ * } catch (e) {}`
`916`	`961`	`* if (subdomain != null) {`
`917`	`962`	`* var idx = subdomain.indexOf (":");`
`918`	`963`	`* if (idx != -1) {`
`919`	`964`	`* subdomain = subdomain.substring (0, idx);`
`920`	`965`	`* }`
`921`	`966`	`* document.domain = subdomain; // set owner iframe's domain`
	`967`	`+ * window["xss.domain.enabled"] = true;`
`922`	`968`	`* }`
`923`	`969`	`* }`
`924`	`970`	`* return subdomain;`

`‎sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax/SimpleRPCRequest.java‎`

Lines changed: 9 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -195,7 +195,15 @@ protected static String adjustRequestURL(String method, String url, String seria`
`195`	`195`	`} else {`
`196`	`196`	`locPort = parseInt (locPort);`
`197`	`197`	`}`
`198`		`-var locHost = loc.host;`
	`198`	`+var locHost = null;`
	`199`	`+try {`
	`200`	`+locHost = loc.host;`
	`201`	`+} catch (e) {`
	`202`	`+if (arguments.length == 2) {`
	`203`	`+return false; // about:blank page has no domain`
	`204`	`+}`
	`205`	`+return true; // about:blank page`
	`206`	`+}`
`199`	`207`	`var idx4 = locHost.indexOf (":");`
`200`	`208`	`if (idx4 != -1) {`
`201`	`209`	`locHost = locHost.substring (0, idx4);`

`‎sources/net.sf.j2s.ajax/store/net/sf/j2s/store/SimpleStore.java‎`

Lines changed: 7 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -17,8 +17,13 @@ private SimpleStore() {`
`17`	`17`	`* var ua = navigator.userAgent.toLowerCase ();`
`18`	`18`	`* var isOldIE = ua.indexOf ("msie 5.5") != -1 \|\| ua.indexOf ("msie 5.0") != -1;`
`19`	`19`	`* var cookieURL = window["j2s.xss.cookie.url"];`
`20`		`- * var isLocal = window.location.protocol == "file:"`
`21`		`- * \|\| window.location.host.toLowerCase ().indexOf ("localhost") != -1;`
	`20`	`+ * var isLocal = false;`
	`21`	`+ * try {`
	`22`	`+ * isLocal = window.location.protocol == "file:"`
	`23`	`+ * \|\| window.location.host.toLowerCase ().indexOf ("localhost") != -1;`
	`24`	`+ * } catch (e) {`
	`25`	`+ * isLocal = true;`
	`26`	`+ * }`
`22`	`27`	`* if (!isLocal && cookieURL != null && !isOldIE) {`
`23`	`28`	`* this.store = new net.sf.j2s.store.XSSCookieStore(cookieURL);`
`24`	`29`	`* } else {`

`‎sources/net.sf.j2s.ajax/store/net/sf/j2s/store/XSSCookieStore.java‎`

Lines changed: 11 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,13 @@`
`10`	`10`	`* var ua = navigator.userAgent.toLowerCase ();`
`11`	`11`	`* var isOldIE = ua.indexOf ("msie 5.5") != -1 \|\| ua.indexOf ("msie 5.0") != -1;`
`12`	`12`	`* var xssCookieURL = window["j2s.xss.cookie.url"];`
`13`		`- * var isLocal = window.location.protocol == "file:"`
`14`		`- * \|\| window.location.host.toLowerCase ().indexOf ("localhost") != -1;`
	`13`	`+ * var isLocal = false;`
	`14`	`+ * try {`
	`15`	`+ * isLocal = window.location.protocol == "file:"`
	`16`	`+ * \|\| window.location.host.toLowerCase ().indexOf ("localhost") != -1;`
	`17`	`+ * } catch (e) {`
	`18`	`+ * isLocal = true;`
	`19`	`+ * }`
`15`	`20`	`* if (!isLocal && xssCookieURL != null && !isOldIE) {`
`16`	`21`	`* net.sf.j2s.store.XSSCookieStore.initialize(xssCookieURL);`
`17`	`22`	`* }`
`@@ -33,7 +38,10 @@ public XSSCookieStore(String url) {`
`33`	`38`	`/**`
`34`	`39`	`* @j2sNative`
`35`	`40`	`var ua = navigator.userAgent.toLowerCase ();`
`36`		`-document.domain = document.domain;`
	`41`	`+try {`
	`42`	`+document.domain = document.domain;`
	`43`	`+window["xss.domain.enabled"] = true;`
	`44`	`+} catch (e) {}`
`37`	`45`	`var xssIfr = document.getElementById ("xss-cookie");`
`38`	`46`	`if (xssIfr != null) {`
`39`	`47`	`return;`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit9c2d325

File tree

4 files changed

4 files changed

`‎sources/net.sf.j2s.ajax/ajaxpipe/net/sf/j2s/ajax/SimplePipeRequest.java‎`

`‎sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax/SimpleRPCRequest.java‎`

`‎sources/net.sf.j2s.ajax/store/net/sf/j2s/store/SimpleStore.java‎`

`‎sources/net.sf.j2s.ajax/store/net/sf/j2s/store/XSSCookieStore.java‎`

0 commit comments