From e546f3cab95ec26d44c17cdb9a6d4f28701a9277 Mon Sep 17 00:00:00 2001
From: Oyvind Sean Kinsey <oyvind.kinsey@brik.no>
Date: Mon, 2 Sep 2013 13:49:44 -0700
Subject: [PATCH] Remove possible XSS attack vector.

---
 src/easyxdm.swf                     | Bin 1767 -> 1770 bytes
 src/flash/net.easyxdm.flash/Main.as |   2 +-
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/easyxdm.swf b/src/easyxdm.swf
index 0a8200503ffdbb093d2ee40205de297003dbc216..eafb2695c2bb61a1761e82a90e827c5a7a90f2d7 100644
GIT binary patch
literal 1770
zcmV<G1{L{3S5pX|4*&po+PqiYbJIo;-^g+-2qYm5xKIP)qcqTv@KI<<!$;x}<2JE_
zLn)={xQcytL}ke%ogwKzK>OmEzIcY2_J3;sjL!6}Z+(F7?n$zoCbUn@4D#LYc5ioo
zySI02L*`e2Y#ZRz5ahKt_;+9!@NaDhKX*qb@r$FiYIV)3eP=aAFtcjeF1#5%JVsJK
z{GR#-7^yZLZ_{$1?R(ObJ8c1vEyu1~Qh+1errd(smgVQYx>%6VB8_6H_^7zBQha)U
z397#5NpJ(D4t0+u+MX|=W;xC#8b_t=RS^W}#ERN55N>_dYD3L)T~U*^=hCe0i-x@o
zFaw@%H*uHQS#Z22NWUY%3|=(mOb}ME^JHmtW=U*znlsY3Y62RL6>Ndnmcn;2j{D)D
z=;CjK1jrE(uC?jdZquxJtyagiYZloxU)XZXg!P?3iWd4+>-e_Zfh{T9bAW2zizO8i
zkBcr#h@~jXK!$;VRj=oxc#$uR%Ym9N&<L4SfC;{6c`{O;!}t_XR`J?yU2K;d5Og*J
z>BAiJg!*}<Ub0#Os$d5X&@S=)+^!3sNDMkH9M~>}hVsk4)ock@2C(8`?D?4Gc*8#8
zki`0nMlwt_Mz*E5E`5{-Oi&o7FKWVmF6w4W0cOMZS|&`JV!Mr7;(`L&9n48A+^{hr
zxT5@mjSbj<XCB%M+Kw&btS-AVO(Cbwaz?9Ajm@6DnAj`aW!hBbY1)AaCK8E06WKKN
z+={U3JAEaer&I_eqGm(}R8dLd_F*Z4V`C-oK3E)xcAUEDdeT%lgPyxCE!he1csv&l
z(!{?Jx2E)nj)ZTK!wQ<C)!18{MS2a(c0^qjjmSqO<amLAy1;tyc49CLgIxaycYwhx
ztgj2X=6mgB$7%-9)4+h-#KbQe92ud>P>!LlK@B5y96v9ySCo4?=wN6ioD5~vB-I_G
zK9ar&n(ekb63ii5&<vfVQY@9yQxADU2L6KH2tpa^LMWE5;EJB@WkA<6_Yiw9u|i^p
zA;g{{)|^;D=u8Azdx(9{Vg#k(l?E^0DEP`AqPGS`H$u@W!bP&P7zv(_kSh^#IYLfF
z$V`MBijX-%;@w}r?$PKD4*%rg(4COR;qDP)E``it>#9(f>>N;;pl_x`dmMxwijekb
zm?cy;GU=f*%?y@2P(s7ZXQ-O0FkfBtC>A=nkC2@d8rer^DJgVlAEDDpp~HI!DNZ;Z
zTr@^A_kISLr{P$J>MYOW@o0>39*HAVRN!y|shEI);PLxTf#oOr!Q%I5AsJaA8G#Z%
z7S4~cc(#Z}#>1M|F5>4E)k61hl%-bCglj;G@9G+FcZAiC7bsSZVm-mYd%Rzczb7kM
zwsk7uNW{#s+k10=ngO#kkUjjKDaJIMeZ^ej=v*b+J%J8`jxI(QODb%>FbTZ_(P=Zr
zXfIu>WP52)EaReaK9kzp_4je-Sv;h4xZ^8J!wb$A5(Y1(=+5~qO^O$CdsoO&tPu1@
zdrMs)Qy-xIAV(u$Oc@u|{1R(@SfLQe@4lp3nXb%JP?r@pm5`<vP?3#IgW7Vp&>_W&
zO663z-O1iC7&FE!dxgksfl2I-jVrl0Emz~TTvH|X-_)+fYF7)YYvMt;&dw~(6Fi>l
z^Gc}k(LL3WaZgYU6obAIt<6(>H+iP(#t2ek(BLfoJJ%hjdZuCtpJI<eHSDPz_c0T)
zY95s(qX#4OX0E6_L<=7)3n}B1%I>1pQ+N6fa>LV&Tiq$VO!%sZ$}>f8fv|@3_|C)o
zhp!DxX@e7Xflu9>o?_xY<?p3kMZ)FNudeIt{d^^C$`JSbAL&FGw+BujmQEIoI|{q2
zekPLp+^f)cq0%3#qrX^CdEuWtJCxeD4<wR$5)*z7sIr#$s$~89Tq62FSRr-GaaY=5
z_X`8=U&&EmRbF|}UqQ;2jhS5BoNlmF#Y%P`|3B+n-qZhb;^Nkg&nsl~IA>;sGL!Hc
zqnqS~)m;m;lX9cfos9ab?KZsf<}-R+Wto#Qa<W$1#e)|1FZ5PjoS8%&{lV5AVze9y
zmSgw^8MGd@y~X%t5<XMX@e)pkd1Y8nt9to~&*f;2f*)ogQENJUwU8jL6_gsfzK+a<
z>3qaar1jyEK_^0xL?&~nLnk9lQ#zR@wm!;9{UXWiw{OZ}(*KvN58M@x-*#8T&zb11
zxCU|7bZsshH?MJpu;Q1>vGG_aY3|8e%+dN+1BIo6ds;}oLU{7^zZUkGTGsR-WpU#+
zWs_f8P=>pyMFfAyA+Y*rVLe}6T_~17ZrOqQ4>Gq=ew|Uz%Z3l=$fOqDb6KG0?cV?Z
M0RR630E2!MA%=Ewi2wiq

literal 1767
zcmV<D1{nE6S5pXt4*&po+Pqg^bJIo;-^g+-2!xQPxKIP)Pideb;ZLC@4Sy1c7`KTX
z97-uo$5rgJBPvTC=?qD~0QAK(een!4?bqn%=-22>pW2x|^Z~lNC&_Y}&^|RYobP_O
zd%OGF)!wlMnO^|1ZGaO)kk?-0-@akMzttfeZjVmjh_lsdb=9hUYc)kMy<*ueydM31
zl%!t#n)(_TsWu&N!*ZbQd(xBJZ2=E0$F5safFs<d+=SYu<>$S+n3vEZjbf?zpg6x=
ze0+Bis=nt*a08_db&n<5o-d(hInD+eN2RS55d`SOvN|vjZhggSL(OwtQIodk(yHx?
zhP?$a4W4f|@sybvaJ(i+zazj5o;7Ao5LU4LXmMqFQEYUY)6%zU0ve7LY=YR5!gn!_
zyWynh;%|cl$Po~(wc*%q)2w-|R>!q#7TGnQ*>cl_we3KP7W!4|__o}JO)1;6fNI{e
zMHLaxi!Muu#VE=^hJk@qujiw9kuQwPftoMS2$@uX3BG7~GE$$#_!Ll9@!D=(Y?T`j
zbT$I%!z}ZJ`gx^ZvRVSFU<dcmF7f@;t_z<?3_2~G*e->J@=LzeYzbEeu<T*%`IzPS
zz&_%T#M-k)GE6l`wxzcweUt}GP#C8#YQlah>Sjv;X2bVdCQO-PtBptEh636h%t<WV
zurVRHqx^#Pby$Zd9@-1qjxFP?F1gc9Atz6BMypVb&7MA=I4eA5%2efP+JOls5{W(&
z*|hZBim>Y2eI=ilR0t%ZRzwC=QAy(QVJU)RV<qr8SR9CUoVw|H(o{Hup1US3*$MFT
zcq$yEiGL$*P3aLG3Ev`z6*Nn`vA4L2^ct4!h`K5ok&jBq@d5#Lf%V{R$6y!+x&9CC
z0E3xdTN85C_u5O2)eNAgfdRSk@t-vKb3ZMHatw71Y8a`bI6TK*QSRxWgQ1mhF_cw{
zRQC||k@R`cY`5K!U=GoSX6Pi9VyTp#y3Y$T@E7z(5Xw*&La}rOcl2y81G=8MgV??C
zWfD6GA@&%t=J+x~ry|JOMeI8kBPb0oHF*A7!IyRsy)h`d9*R~GE|Q&vNbqcgT#As3
z5pp6zrX%D)gv=5WpZ@Aqk7l=U`Ug*kZiO@scMlVDDP#^?SB1Ld<9#X<G-gV4#(wCb
z2x*UoSwdwalO8J5%3#TTB{a-@hN`Iw^VLO<Vxj$e2-!)Ykv)VKlR^jf5IUI@I=G9F
z;)LVDO=C23=SP4!njXqfo#lBx7R@ov!*PU)3Y?B372_}vJdSS_Sbm}(ERJs%l93gX
z5h(E^;ra-RXNzcLEUbC$JPt3Z7P<$cEVY6rTme#iN7wkc!>oR^K(T5R>oEr2<@0hp
z9<OBC)`^585i>__?#}&52F%hx_HaB^jA=OilDWj$nM$^M3>^j?U5qZ4RM>oB0($$R
zugy3_XX#oc+e?FD88?lynbhvCzlSH!;73XycYI}Oc)|HX!r;Xe-8ny}N%36n&B;eP
z-bbN9B1XWNG|sE_1=jkYLVl8SeMz-5Rhc8tFDh&@Ax+PmA{(0mb>vQ=11fZtugUPZ
z<Go=pri~f)3Xz!tGu59PmvS-pmt*d)s5<&@YFA>l%LUaMvD&Y)GYfMBkLCL05o&yR
zM|E916I7SPpsz)Ha}?ioUg^3qf|M9EIgS6$bjPS@sUpJn)<aNTc{0b%%7m<1N43Z3
z{s_IED=H7s!bi$N%J{glvvT#+t-gcY)pX-VcM@+5z7L`rOwolO7K$EUY<S7=-GC`=
zaKg^<r!}jmn7B`Pys)E4xO}jnH3eN|@8>FE=Y_bje@|s^+#LAKuynFu+)~(W^)sG4
z=T3#j`AUDTzVC&C$_xMG*`d^)AA2IH$1&k&fGTT|??cwV%O#=@gcVY^6t|vjcE2#-
z{-qoRR^^?0{T-xi$(YW?9q1Z6Rjg$9@c+}k<z4+RCvIom_^d)kk8);~DKiPLF}exf
zSlO{bCn+~d-HE7q+HS)uZ#<zFRF*j@BPXk+9Xx1ZlR|IR?U+f_(Qj<+K1R!tU^#{l
zjX~>SZ(E3;AK_ah9dF@cn0JQtw5pdM_`4j<QSie|Bx+5CPZJWvy@FCh*VmAlFr5$B
ziL^dEGU!AIlE_33b?D0o)09r8iLH-vQa?{J`_1cenDqZ8>jM|U!#7<B@tY;O5UxO+
zHC>y{#?5O?A*}d?a%?OXN}7B026MFk<v?Mn;2sx}PYqst^{<6}NNsESkg~Xbld{Rr
zDJaA3)B=JpatN$Em|x3RSLTZ)keha({uj(`l%HVK^RnS9IWnn*_gog}4f{6$00960
J0|33b62#2`X>R}k

diff --git a/src/flash/net.easyxdm.flash/Main.as b/src/flash/net.easyxdm.flash/Main.as
index 93bc32c8..05c58010 100644
--- a/src/flash/net.easyxdm.flash/Main.as
+++ b/src/flash/net.easyxdm.flash/Main.as
@@ -95,7 +95,7 @@ class Main
 		
 		// add the createChannel method
 		ExternalInterface.addCallback("createChannel", { }, function(channel:String, secret:String, remoteOrigin:String, isHost:Boolean) {
-			if (!Main.Validate(channel)) return;
+			if (!Main.Validate(channel) || !Main.Validate(secret)) return;
 			log("creating channel " + channel);
 			
 			// get the remote domain