Simplify allowed Flash querystring parameters

mediaelement · May 4, 2016 · 24c6ad0 · 24c6ad0
1 parent cc6b880
commit 24c6ad0
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 74 deletions.
diff --git a/src/flash/FlashMediaElement.as b/src/flash/FlashMediaElement.as
@@ -25,8 +25,6 @@ package {
 	import htmlelements.HLSMediaElement;
 
 	[SWF(backgroundColor="0x000000")] // Set SWF background color
-
-
 	public class FlashMediaElement extends MovieClip {
 
 		private var _mediaUrl:String;
@@ -99,34 +97,18 @@ package {
 
 
 		public function FlashMediaElement() {
-			// check for security issues (borrowed from jPLayer)
-			checkFlashVars(loaderInfo.parameters);
+
+			if (isIllegalQuerystring()) {
+				return;
+			}
 
 			// allows this player to be called from a different domain than the HTML page hosting the player
 			CONFIG::cdnBuild {
 				Security.allowDomain("*");
 				Security.allowInsecureDomain('*');
 			}
 
-			if (securityIssue) {
-				return;
-			}
-
-			// get parameters
-			// Use only FlashVars, ignore QueryString
-			var params:Object, pos:int, query:Object;
-
-			params = LoaderInfo(this.root.loaderInfo).parameters;
-			pos = root.loaderInfo.url.indexOf('?');
-			if (pos !== -1) {
-				query = parseStr(root.loaderInfo.url.substr(pos + 1));
-
-				for (var key:String in params) {
-					if (query.hasOwnProperty(trim(key))) {
-						delete params[key];
-					}
-				}
-			}
+			var params:Object = LoaderInfo(this.root.loaderInfo).parameters;
 
 			CONFIG::debugBuild {
 				_debug = (params['debug'] != undefined) ? (String(params['debug']) == "true") : false;
@@ -456,43 +438,20 @@ package {
 			}
 		}
 
-		// borrowed from jPLayer
-		// https://github.com/happyworm/jPlayer/blob/e8ca190f7f972a6a421cb95f09e138720e40ed6d/actionscript/Jplayer.as#L228
-		private function checkFlashVars(p:Object):void {
-			var i:Number = 0;
-			for (var s:String in p) {
-				if (isIllegalChar(p[s], s === 'file')) {
-					securityIssue = true; // Illegal char found
-				}
-				i++;
-			}
-			if (i === 0 || securityIssue) {
-				directAccess = true;
-			}
-		}
-
-		private static function parseStr (str:String) : Object {
-			var hash:Object = {},
-				arr1:Array, arr2:Array;
-
-			str = unescape(str).replace(/\+/g, " ");
-
-			arr1 = str.split('&');
-			if (!arr1.length) {
-				return {};
-			}
-
-			for (var i:uint = 0, length:uint = arr1.length; i < length; i++) {
-				arr2 = arr1[i].split('=');
-				if (!arr2.length) {
-					continue;
-				}
-				hash[trim(arr2[0])] = trim(arr2[1]);
-			}
-			return hash;
+		private function isIllegalQuerystring():Boolean {
+			var query:String = '';
+			var pos:Number = root.loaderInfo.url.indexOf('?') ;
+
+			if ( pos > -1 ) {
+			    query = root.loaderInfo.url.substring( pos );
+			    if ( ! /^\?\d+$/.test( query ) ) {
+			        return true;
+			    }
+			}			
+
+			return false;
 		}
 
-
 		private static function trim(str:String) : String {
 			if (!str) {
 				return str;
@@ -501,21 +460,6 @@ package {
 			return str.toString().replace(/^\s*/, '').replace(/\s*$/, '');
 		}
 
-		private function isIllegalChar(s:String, isUrl:Boolean):Boolean {
-			var illegals:String = "' \" ( ) { } * + \\ < >";
-			if (isUrl) {
-				illegals = "\" { } \\ < >";
-			}
-			if (Boolean(s)) { // Otherwise exception if parameter null.
-				for each (var illegal:String in illegals.split(' ')) {
-					if (s.indexOf(illegal) >= 0) {
-						return true; // Illegal char found
-					}
-				}
-			}
-			return false;
-		}
-
 		// START: Controls and events
 		private function mouseActivityMove(event:MouseEvent):void {
 

diff --git a/src/js/me-shim.js b/src/js/me-shim.js
@@ -579,7 +579,7 @@ mejs.HtmlMediaElementShim = {
 					specialIEContainer.outerHTML =
 '<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="//download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" ' +
 'id="' + pluginid + '" width="' + width + '" height="' + height + '" class="mejs-shim">' +
-'<param name="movie" value="' + options.pluginPath + options.flashName + '?x=' + (new Date()) + '" />' +
+'<param name="movie" value="' + options.pluginPath + options.flashName + '?x=' + (new Date().getTime()) + '" />' +
 '<param name="flashvars" value="' + initVars.join('&amp;') + '" />' +
 '<param name="quality" value="high" />' +
 '<param name="bgcolor" value="#000000" />' +