mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jacob Janco <jjanco....@gmail.com>
Subject Re: Review Request 55691: Fix XSS vulnerability in pailer invocation.
Date Thu, 19 Jan 2017 20:41:09 GMT


> On Jan. 19, 2017, 4:27 p.m., haosdent huang wrote:
> > Hi, seems set `document.cookie` could work instead of use localstorage. The problem
of localstorage is not supported some old browsers. Have you try set cookie before?

I think the attack vector would be similar if we were to pass the url through a cookie. localStorage
is supported by: 

               
Feature      	Chrome	Firefox (Gecko)	Internet Explorer	Opera	Safari (WebKit)
localStorage	4	    3.5	            8	                10.50	4
sessionStorage	5	    2	            8	                10.50	4

I think this is fairly good coverage especially considering Microsoft's end of support for
legacy browsers. If it becomes an issue we can definitely rethink this.


> On Jan. 19, 2017, 4:27 p.m., haosdent huang wrote:
> > src/webui/master/static/pailer.html, lines 46-68
> > <https://reviews.apache.org/r/55691/diff/1/?file=1608498#file1608498line46>
> >
> >     I think we remove this snippet?

This block of code keeps localStorage clean and sets the sessionStorage for the life of the
open pailer window, so we need to persist the value through reloads.


> On Jan. 19, 2017, 4:27 p.m., haosdent huang wrote:
> > src/webui/master/static/pailer.html, line 80
> > <https://reviews.apache.org/r/55691/diff/1/?file=1608498#file1608498line80>
> >
> >     I think we could `localStorage.getItem/removeItem` above and use it here directly?

storageKey is scoped above this to keep it out of the global namespace


- Jacob


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/55691/#review162303
-----------------------------------------------------------


On Jan. 18, 2017, 11:40 p.m., Jacob Janco wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/55691/
> -----------------------------------------------------------
> 
> (Updated Jan. 18, 2017, 11:40 p.m.)
> 
> 
> Review request for mesos, haosdent huang and Jiang Yan Xu.
> 
> 
> Bugs: MESOS-6947
>     https://issues.apache.org/jira/browse/MESOS-6947
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> Fix XSS vulnerability in pailer invocation.
> 
> 
> Diffs
> -----
> 
>   src/webui/master/static/js/controllers.js 388ca2447716cbc7141da6a20daf2340621a16e8

>   src/webui/master/static/pailer.html 19e0981143bd7e8372b49f4f036867e9dd05727a 
> 
> Diff: https://reviews.apache.org/r/55691/diff/
> 
> 
> Testing
> -------
> 
> make -j8 + test framework + checking pailer representation of files in sandbox
> 
> 
> Thanks,
> 
> Jacob Janco
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message