From 1958b52d41cba96956dc1995660de49525ed1047 Mon Sep 17 00:00:00 2001 From: Dieter Plaetinck Date: Tue, 5 Jan 2010 20:17:29 +0100 Subject: [PATCH] disable Uzbl javascript object because of security problem. --- README | 21 +-------------------- tests/test-command.c | 5 ----- uzbl-core.c | 10 ---------- 3 files changed, 1 insertion(+), 35 deletions(-) diff --git a/README b/README index 0d6ed0463..a22e10593 100644 --- a/README +++ b/README @@ -397,7 +397,7 @@ The script specific arguments are this: Custom, userdefined scripts (`spawn foo bar`) get first the arguments as specified in the config and then the above 7 are added at the end. -### JAVASCRIPT HELPER OBJECT +### JAVASCRIPT HELPER OBJECT DISABLED BECAUSE OF SECURITY LEAK Javascript code run from uzbl is given a special object in the global namespace which gives special privileges to these scripts. This object is called `Uzbl`, and it is added and removed before and after the script execution so that it is hidden to web javascripts (There is no race condition, since all the javascript code runs in a single thread) @@ -410,25 +410,6 @@ Currently, the `Uzbl` object provides only one function: * `Uzbl.run("spawn insert_bookmark.sh")` * `uri = Uzbl.run("print @uri")` (see variable expansion below) -### JAVASCRIPT SECURITY - -Since defined variables and functions are set in the global namespace (`window` object) as default, it is recommended to wrap your scripts like this: - - (function(Uzbl) { - ... - })(Uzbl); - -This way, everything is kept private. It also turns Uzbl into a local variable, which can be accessed from callback functions defined inside. However for some situations, isolating everything isn't an option, for example, with binds. You can define them directly in the script body, and use `var Uzbl = window.Uzbl;` to make the Uzbl variable local, as in the following example: - - function f() { - var Uzbl = window.Uzbl; - Uzbl.run(...); - setTimeout(function() { - Uzbl.run(...); - }, 500); - } - -Copying the Uzbl object and creating public functions should be taken with care to avoid creating security holes. Keep in mind that the "f" function above would be defined in the `window` object, and as such any javascript in the current page can call it. ### EVENTS ### diff --git a/tests/test-command.c b/tests/test-command.c index 49f3bb829..fc3b092ea 100644 --- a/tests/test-command.c +++ b/tests/test-command.c @@ -305,11 +305,6 @@ test_js (void) { parse_cmd_line("js ('x' + 345).toUpperCase()", result); g_assert_cmpstr("X345", ==, result->str); - /* uzbl commands can be run from javascript */ - uzbl.net.useragent = "Test useragent"; - parse_cmd_line("js Uzbl.run('print @useragent').toUpperCase();", result); - g_assert_cmpstr("TEST USERAGENT", ==, result->str); - g_string_free(result, TRUE); } diff --git a/uzbl-core.c b/uzbl-core.c index fd8ee4174..fca293c1f 100644 --- a/uzbl-core.c +++ b/uzbl-core.c @@ -1046,7 +1046,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) { WebKitWebFrame *frame; JSGlobalContextRef context; JSObjectRef globalobject; - JSStringRef var_name; JSStringRef js_script; JSValueRef js_result; @@ -1059,12 +1058,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) { context = webkit_web_frame_get_global_context(frame); globalobject = JSContextGetGlobalObject(context); - /* uzbl javascript namespace */ - var_name = JSStringCreateWithUTF8CString("Uzbl"); - JSObjectSetProperty(context, globalobject, var_name, - JSObjectMake(context, uzbl.js.classref, NULL), - kJSClassAttributeNone, NULL); - /* evaluate the script and get return value*/ js_script = JSStringCreateWithUTF8CString(script); js_result = JSEvaluateScript(context, js_script, globalobject, NULL, 0, NULL); @@ -1082,9 +1075,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) { } /* cleanup */ - JSObjectDeleteProperty(context, globalobject, var_name, NULL); - - JSStringRelease(var_name); JSStringRelease(js_script); }