[Pkg-javascript-commits] [sockjs-client] 371/434: Refuse SockJS urls with ? or # inside (query strings or hashes)

Tonnerre Lombard tonnerre-guest at moszumanska.debian.org
Wed Jan 8 00:47:25 UTC 2014 

This is an automated email from the git hooks/post-receive script.

tonnerre-guest pushed a commit to branch master
in repository sockjs-client.

commit 9a82917cf5843a6fb5ab5d19476681cb30913fae
Author: Marek Majkowski <majek04 at gmail.com>
Date:   Mon Mar 26 16:17:07 2012 +0100

    Refuse SockJS urls with ? or # inside (query strings or hashes)
---
 lib/trans-iframe-within.js      | 5 +++++
 lib/utils.js                    | 8 ++++++++
 tests/html/src/unittests.coffee | 4 ++++
 3 files changed, 17 insertions(+)

diff --git a/lib/trans-iframe-within.js b/lib/trans-iframe-within.js
index 0565747..294badb 100644
--- a/lib/trans-iframe-within.js
+++ b/lib/trans-iframe-within.js
@@ -43,6 +43,11 @@ SockJS.bootstrap_iframe = function() {
                           " \"" + version + "\", the iframe:" +
                           " \"" + SockJS.version + "\".");
             }
+            if (!utils.flatUrl(trans_url) || !utils.flatUrl(base_url)) {
+                utils.log("Only basic urls are supported in SockJS");
+                return;
+            }
+
             if (!utils.isSameOriginUrl(trans_url) ||
                 !utils.isSameOriginUrl(base_url)) {
                 utils.log("Can't connect to different domain from within an " +
diff --git a/lib/utils.js b/lib/utils.js
index ec1e424..b9ec25f 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -97,11 +97,19 @@ utils.bind = function(fun, that) {
     }
 };
 
+utils.flatUrl = function(url) {
+    return url.indexOf('?') === -1 && url.indexOf('#') === -1;
+};
+
 utils.amendUrl = function(url) {
     var dl = _document.location;
     if (!url) {
         throw new Error('Wrong url for SockJS');
     }
+    if (!utils.flatUrl(url)) {
+        throw new Error('Only basic urls are supported in SockJS');
+    }
+
     //  '//abc' --> 'http://abc'
     if (url.indexOf('//') === 0) {
         url = dl.protocol + url;
diff --git a/tests/html/src/unittests.coffee b/tests/html/src/unittests.coffee
index 36132bd..0cd52e5 100644
--- a/tests/html/src/unittests.coffee
+++ b/tests/html/src/unittests.coffee
@@ -83,6 +83,10 @@ test 'amendUrl', ->
     raises(t, 'Wrong url')
     t = -> u.amendUrl(false)
     raises(t, 'Wrong url')
+    t = -> u.amendUrl('http://abc?a=a')
+    raises(t, 'Only basic urls are supported')
+    t = -> u.amendUrl('http://abc#a')
+    raises(t, 'Only basic urls are supported')
 
 test 'arrIndexOf', ->
     a = [1,2,3,4,5]

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-javascript/sockjs-client.git

More information about the Pkg-javascript-commits mailing list