Skip to content

Commit e4f7c83

Browse files
RubaXaRubaXa
committed
Merge pull request mailru#346 from im-saxo/hotfixes
flash xss: patch from @mala
2 parents 17116f9 + 21a7f2f commit e4f7c83

File tree

5 files changed

+29
-30
lines changed

5 files changed

+29
-30
lines changed

Gruntfile.js

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -131,7 +131,7 @@ module.exports = function (grunt) {
131131
mxmlc: {
132132
core: {
133133
options: {
134-
rawConfig: '-static-link-runtime-shared-libraries=true -compiler.debug=true' +
134+
rawConfig: '-target-player=10.1 -static-link-runtime-shared-libraries=true -compiler.debug=true' +
135135
' -library-path+=flash/core/lib/blooddy_crypto.swc -library-path+=flash/core/lib/EnginesLibrary.swc'
136136
},
137137
files: {

dist/FileAPI.flash.swf

-724 Bytes
Binary file not shown.

flash/core/lib/FilterFlashVarsLibrary.swc

-2.64 KB
Binary file not shown.

flash/core/src/FileAPI_flash.as

Lines changed: 3 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,5 @@
11
package
22
{
3-
import com.github.im_saxo.FilterFlashVars;
4-
53
import flash.display.Sprite;
64
import flash.display.StageAlign;
75
import flash.display.StageQuality;
@@ -13,7 +11,7 @@ package
1311

1412
/**
1513
*
16-
* @author v.demidov
14+
* @author v.demidov <v.demidov@gmail.com> https://github.com/im-saxo
1715
*
1816
*/
1917
public class FileAPI_flash extends Sprite
@@ -38,7 +36,6 @@ package
3836
*/
3937
protected function init(event:Event = null):void
4038
{
41-
trace ("{FlashFileAPI} - init");
4239
removeEventListener(Event.ADDED_TO_STAGE, init);
4340

4441
// config stage
@@ -50,21 +47,10 @@ package
5047
addChild(_graphicContext);
5148

5249
// initiate controller
53-
_controller = new AppController(_graphicContext, parseFlashVars());
50+
_controller = new AppController(_graphicContext, loaderInfo.parameters);
5451
// add some global listeners
5552
stage.addEventListener(Event.RESIZE, _controller.onStageResize);
5653
loaderInfo.uncaughtErrorEvents.addEventListener(UncaughtErrorEvent.UNCAUGHT_ERROR, _controller.onUncaughtError);
5754
}
58-
59-
/**
60-
* Use only parameters from FlashVars and ignore parameters from URL query string.
61-
* Query string parameters can lead to XSS, and since we use only FlashVars,
62-
* we can ignore query completely.
63-
*
64-
*/
65-
private function parseFlashVars():Object
66-
{
67-
return FilterFlashVars.filterFlashVars(loaderInfo.parameters, loaderInfo.url);
68-
}
6955
}
70-
}
56+
}

flash/core/src/ru/mail/communication/JSCaller.as

Lines changed: 25 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,7 @@
11
package ru.mail.communication
22
{
33
import flash.external.ExternalInterface;
4+
import flash.utils.ByteArray;
45

56
import ru.mail.data.vo.ErrorVO;
67
import ru.mail.data.vo.FileVO;
@@ -67,7 +68,6 @@ package ru.mail.communication
6768
_call(_callback, data, data2);
6869
}
6970
catch (e:Error) {
70-
trace ("callJS caused an exception", e);
7171
}
7272
}
7373

@@ -82,12 +82,10 @@ package ru.mail.communication
8282
var isReady:Boolean = false;
8383
try {
8484
var r:* = _call(callback, {type:"ready", flashId:flashId});
85-
trace( "JSCaller.notifyJSAboutAppReady() ", triesCount );
8685

8786
isReady = ( r != null );
8887
}
8988
catch ( e:Error ) {
90-
trace ("notifyJSAboutAppReady error", e);
9189
}
9290

9391
return isReady;
@@ -111,7 +109,6 @@ package ru.mail.communication
111109
_call(callback, { type:eventType, flashId:flashId });
112110
}
113111
catch (e:Error) {
114-
trace ("notifyJSMouseEvents error", e);
115112
}
116113
}
117114

@@ -126,8 +123,6 @@ package ru.mail.communication
126123
*/
127124
public function notifyJSFilesEvents(eventType:String, filesVector:Vector.<FileVO> = null):void
128125
{
129-
trace ("{JSCaller} - notifyJSFilesEvents, eventType", eventType)
130-
131126
var details:Object = new Object();
132127
details.type = eventType;
133128

@@ -164,7 +159,6 @@ package ru.mail.communication
164159
_call(callback, details);
165160
}
166161
catch (e:Error) {
167-
trace ("notifyJSFilesEvents error",e);
168162
}
169163
}
170164

@@ -189,7 +183,6 @@ package ru.mail.communication
189183
_call(callback, details);
190184
}
191185
catch (e:Error) {
192-
trace ("notifyJSErrors error",e);
193186
}
194187
}
195188

@@ -204,7 +197,6 @@ package ru.mail.communication
204197
_call(callback, { type:'camera', error:error, flashId:flashId });
205198
}
206199
catch (e:Error) {
207-
trace ("notifyCameraStatus error", e);
208200
}
209201
}
210202

@@ -222,13 +214,34 @@ package ru.mail.communication
222214
_call(callback, {type:"error", message:errorVO.getError(), flashId:flashId});
223215
}
224216
catch (e:Error) {
225-
trace ("notifyJSErrors error",e);
226217
}
227218
}
228-
219+
220+
private function clone(source:Object):* {
221+
var myBA:ByteArray = new ByteArray();
222+
myBA.writeObject(source);
223+
myBA.position = 0;
224+
return(myBA.readObject());
225+
}
226+
227+
private function _escape(data:*):* {
228+
if (typeof data === 'string') {
229+
return data.replace(/\\/g, '\\\\');
230+
} else if (typeof data === 'object') {
231+
var ret:* = clone(data);
232+
for (var i:String in data) {
233+
ret[i] = _escape(data[i]);
234+
}
235+
return ret;
236+
}
237+
return data;
238+
}
239+
229240
private function _call(callback:String, data:Object, data2:Object = null):* {
241+
data = _escape(data);
230242
if ( callback.match(/^FileAPI\.Flash\.(onEvent|_fn\.fileapi\d+)$/) ) {
231243
if (data2) {
244+
data2 = _escape(data2);
232245
return ExternalInterface.call(callback, data, data2);
233246
}
234247
else {
@@ -240,4 +253,4 @@ package ru.mail.communication
240253
}
241254
}
242255
}
243-
}
256+
}

0 commit comments

Comments
 (0)