disable Uzbl javascript object because of security problem.

uzbl · Jan 5, 2010 · 1958b52 · 1958b52
1 parent 4994115
commit 1958b52
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 35 deletions.
diff --git a/README b/README
@@ -397,7 +397,7 @@ The script specific arguments are this:
 
 Custom, userdefined scripts (`spawn foo bar`) get first the arguments as specified in the config and then the above 7 are added at the end.
 
-### JAVASCRIPT HELPER OBJECT
+### JAVASCRIPT HELPER OBJECT DISABLED BECAUSE OF SECURITY LEAK
 
 Javascript code run from uzbl is given a special object in the global namespace which gives special privileges to these scripts. This object is called `Uzbl`, and it is added and removed before and after the script execution so that it is hidden to web javascripts (There is no race condition, since all the javascript code runs in a single thread)
 
@@ -410,25 +410,6 @@ Currently, the `Uzbl` object provides only one function:
        * `Uzbl.run("spawn insert_bookmark.sh")`
        * `uri = Uzbl.run("print @uri")` (see variable expansion below)
 
-### JAVASCRIPT SECURITY
-
-Since defined variables and functions are set in the global namespace (`window` object) as default, it is recommended to wrap your scripts like this:
-
-    (function(Uzbl) {
-        ...
-    })(Uzbl);
-
-This way, everything is kept private. It also turns Uzbl into a local variable, which can be accessed from callback functions defined inside. However for some situations, isolating everything isn't an option, for example, with binds. You can define them directly in the script body, and use `var Uzbl = window.Uzbl;` to make the Uzbl variable local, as in the following example:
-
-    function f() {
-        var Uzbl = window.Uzbl;
-        Uzbl.run(...);
-        setTimeout(function() {
-            Uzbl.run(...);
-        }, 500);
-    }
-
-Copying the Uzbl object and creating public functions should be taken with care to avoid creating security holes. Keep in mind that the "f" function above would be defined in the `window` object, and as such any javascript in the current page can call it.
 
 ### EVENTS ###
 

diff --git a/tests/test-command.c b/tests/test-command.c
@@ -305,11 +305,6 @@ test_js (void) {
     parse_cmd_line("js ('x' + 345).toUpperCase()", result);
     g_assert_cmpstr("X345", ==, result->str);
 
-    /* uzbl commands can be run from javascript */
-    uzbl.net.useragent = "Test useragent";
-    parse_cmd_line("js Uzbl.run('print @useragent').toUpperCase();", result);
-    g_assert_cmpstr("TEST USERAGENT", ==, result->str);
-
     g_string_free(result, TRUE);
 }
 

diff --git a/uzbl-core.c b/uzbl-core.c
@@ -1046,7 +1046,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) {
     WebKitWebFrame *frame;
     JSGlobalContextRef context;
     JSObjectRef globalobject;
-    JSStringRef var_name;
 
     JSStringRef js_script;
     JSValueRef js_result;
@@ -1059,12 +1058,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) {
     context = webkit_web_frame_get_global_context(frame);
     globalobject = JSContextGetGlobalObject(context);
 
-    /* uzbl javascript namespace */
-    var_name = JSStringCreateWithUTF8CString("Uzbl");
-    JSObjectSetProperty(context, globalobject, var_name,
-                        JSObjectMake(context, uzbl.js.classref, NULL),
-                        kJSClassAttributeNone, NULL);
-
     /* evaluate the script and get return value*/
     js_script = JSStringCreateWithUTF8CString(script);
     js_result = JSEvaluateScript(context, js_script, globalobject, NULL, 0, NULL);
@@ -1082,9 +1075,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) {
     }
 
     /* cleanup */
-    JSObjectDeleteProperty(context, globalobject, var_name, NULL);
-
-    JSStringRelease(var_name);
     JSStringRelease(js_script);
 }