Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commitbc24fdd

Browse files
author
zhourenjian
committed
Fixed bug that XSS does not support data with length larger than 2k(IE)/8k(FF or others)
Now sending XSS data packet by packet in orders
1 parentdf215f4 commitbc24fdd

File tree

1 file changed

+52
-26
lines changed

1 file changed

+52
-26
lines changed

‎sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax/SimpleRPCRequest.java‎

Lines changed: 52 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,9 @@ static String getClassNameURL(SimpleRPCRunnable runnable) {
9595

9696
privatestaticvoidajaxRequest(finalSimpleRPCRunnablerunnable) {
9797
Stringurl =runnable.getHttpURL();
98+
if (url ==null) {
99+
url ="";
100+
}
98101
Stringmethod =runnable.getHttpMethod();
99102
Stringserialize =runnable.serialize();
100103
if (method ==null) {
@@ -331,28 +334,25 @@ protected static boolean checkXSS(String url, String serialize, SimpleRPCRunnabl
331334
* @j2sNative
332335
return function () {
333336
var g = net.sf.j2s.ajax.SimpleRPCRequest;
334-
var hKey = "h" + rnd;
335-
if (g.idSet[hKey] != null) {
336-
window.clearTimeout (g.idSet[hKey]);
337-
delete g.idSet[hKey];
338-
}
339-
if (window["net"] != null && !net.sf.j2s.ajax.SimpleRPCRequest.cleanUp(oScript)) {
337+
if (!g.cleanUp(script)) {
340338
return; // IE, not completed yet
341339
}
342-
var src = oScript.src;
343-
var idx = src.indexOf ("jzn=");
344-
var rid = src.substring (idx + 4, src.indexOf ("&", idx));
345-
net.sf.j2s.ajax.SimpleRPCRequest.xssNotify (rid, null);
346-
if (oScript.onerror != null) { // W3C
347-
oScript.onerror = oScript.onload = null;
340+
if (error) {
341+
var src = script.src;
342+
var idx = src.indexOf ("jzn=");
343+
var rid = src.substring (idx + 4, src.indexOf ("&", idx));
344+
net.sf.j2s.ajax.SimpleRPCRequest.xssNotify (rid, null);
345+
}
346+
if (script.onerror != null) { // W3C
347+
script.onerror = script.onload = null;
348348
} else { // IE
349-
oScript.onreadystatechange = null;
349+
script.onreadystatechange = null;
350350
}
351-
document.getElementsByTagName ("HEAD")[0].removeChild (oScript);
352-
oScript = null;
351+
document.getElementsByTagName ("HEAD")[0].removeChild (script);
352+
script = null;
353353
};
354354
*/
355-
nativestaticObjectgenerateCallback4Script(ObjectoScript,Stringrnd);
355+
nativestaticObjectgenerateCallback4Script(Objectscript,Stringrnd,booleanerror);
356356

357357
/**
358358
* @j2sNative
@@ -368,19 +368,28 @@ protected static boolean checkXSS(String url, String serialize, SimpleRPCRunnabl
368368
script.type = "text/javascript";
369369
script.src = url + "?jzn=" + rnd + "&jzp=" + length
370370
+ "&jzc=" + (i + 1) + "&jzz=" + content;
371-
var fun = g.generateCallback4Script (script, rnd);
371+
var okFun = g.generateCallback4Script (script, rnd, false);
372+
var errFun = g.generateCallback4Script (script, rnd, true);
372373
var userAgent = navigator.userAgent.toLowerCase ();
373374
var isOpera = (userAgent.indexOf ("opera") != -1);
374375
var isIE = (userAgent.indexOf ("msie") != -1) && !isOpera;
375376
script.defer = true;
376377
if (typeof (script.onreadystatechange) == "undefined" || !isIE) { // W3C
377-
script.onerror = script.onload = fun;
378-
} else { // IE
379-
script.onreadystatechange = fun;
378+
script.onerror = errFun;
379+
script.onload = okFun;
380+
} else { // IE, IE won't detect script loading error until timeout!
381+
script.onreadystatechange = okFun;
380382
}
381383
var head = document.getElementsByTagName ("HEAD")[0];
382384
head.appendChild (script);
383-
g.idSet["h" + rnd] = window.setTimeout (fun, 30000); // 30s timeout // TODO: Expose to configuration
385+
var timeout = 30000;
386+
if (window["j2s.ajax.reqeust.timeout"] != null) {
387+
timeout = window["j2s.ajax.reqeust.timeout"];
388+
}
389+
if (timeout < 1000) {
390+
timeout = 1000; // at least 1s for timeout
391+
}
392+
g.idSet["h" + rnd] = window.setTimeout (errFun, timeout);
384393
*/
385394
nativestaticvoidcallByScript(Stringrnd,Stringlength,Stringi,Stringcontent);
386395

@@ -409,11 +418,17 @@ static void xssNotify(String nameID, String response, String session) {
409418
var ss = document.getElementsByTagName ("SCRIPT");
410419
for (var i = 0; i < ss.length; i++) {
411420
var s = ss[i];
412-
if (s.src != null && s.src.indexOf ("jzn=" + nameID) != -1
421+
if (s.src != null && s.src.indexOf ("jzn=" + nameID) != -1 // FIXME: Not totally safe
413422
&& s.readyState == "interactive") {
414423
s.onreadystatechange = net.sf.j2s.ajax.SimpleRPCRequest.ieScriptCleanup;
415424
}
416425
}
426+
}
427+
var hKey = "h" + nameID;
428+
var g = net.sf.j2s.ajax.SimpleRPCRequest;
429+
if (g.idSet[hKey] != null) {
430+
window.clearTimeout (g.idSet[hKey]);
431+
delete g.idSet[hKey];
417432
}
418433
*/ { }
419434
if (response =="continue") {
@@ -425,16 +440,27 @@ static void xssNotify(String nameID, String response, String session) {
425440
}
426441
var k = "x" + nameID;
427442
var xcontent = g.idSet[k];
428-
// TODO: The following codes should be modified to send out requests one by one.
429443
if (xcontent != null) {
444+
// Send out requests one by one.
430445
for (var i = 0; i < xcontent.length; i++) {
431446
if (xcontent[i] != null) {
432447
g.callByScript(nameID, xcontent.length, i, xcontent[i]);
433448
xcontent[i] = null;
449+
break;
434450
}
435-
}
436-
g.idSet[k] = null;
437-
delete g.idSet[k];
451+
}
452+
453+
var more = false;
454+
for (var i = xcontent.length - 1; i >= 0; i--) {
455+
if (xcontent[i] != null) {
456+
more = true;
457+
break;
458+
}
459+
}
460+
if (!more) { // all contents are sent
461+
g.idSet[k] = null;
462+
delete g.idSet[k];
463+
}
438464
}
439465
*/ {}
440466
return;

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp