Skip to content
This repository
Browse code

strip authority to avoid exploits in parse regex

As explained by @mala in Issue #4787, most browsers simply strip the
authority from `location.href` anyway. We can simply mimick this more
secure behavior for the browsers that don't thereby avoiding the
decoding xss.
  • Loading branch information...
commit 352f1964b685614d27a3e4ef669093778368f915 1 parent ddb62b4
John Bender authored August 09, 2012
24  js/jquery.mobile.navigation.js
@@ -49,27 +49,13 @@ define( [
49 49
 			//
50 50
 			urlParseRE: /^(((([^:\/#\?]+:)?(?:(\/\/)((?:(([^:@\/#\?]+)(?:\:([^:@\/#\?]+))?)@)?(([^:\/#\?\]\[]+|\[[^\/\]@#?]+\])(?:\:([0-9]+))?))?)?)?((\/?(?:[^\/\?#]+\/+)*)([^\?#]*)))?(\?[^#]+)?)(#.*)?/,
51 51
 
52  
-			// Abstraction to address xss (Issue #4787) in browsers that auto decode the username:pass
53  
-			// portion of location.href. All references to location.href should be replaced with a call
54  
-			// to this method so that it can be dealt with properly here
  52
+			// Abstraction to address xss (Issue #4787) by removing the authority in
  53
+			// browsers that auto	decode it. All references to location.href should be
  54
+			// replaced with a call to this method so that it can be dealt with properly here
55 55
 			getLocation: function( url ) {
56  
-				var uri = this.parseUrl( url || location.href ),
57  
-					encodedUserPass = "";
  56
+				var uri = url ? $.mobile.path.parseUrl( url ) : location;
58 57
 
59  
-				if( uri.username ){
60  
-					encodedUserPass = encodeURI( uri.username );
61  
-				}
62  
-
63  
-				if( uri.password  ){
64  
-					encodedUserPass = encodedUserPass + ":" + encodeURI( uri.password );
65  
-				}
66  
-
67  
-				if( encodedUserPass ){
68  
-					return uri.protocol + "//" + encodedUserPass + "@" +
69  
-						uri.host + uri.pathname + uri.search + uri.hash;
70  
-				}
71  
-
72  
-				return uri.href;
  58
+				return uri.protocol + "//" + uri.host + uri.pathname + uri.search + uri.hash;
73 59
 			},
74 60
 
75 61
 			parseLocation: function() {
10  tests/unit/navigation/navigation_helpers.js
@@ -241,14 +241,12 @@
241 241
 
242 242
 	test( "path.getLocation works properly", function() {
243 243
 		equal( $.mobile.path.getLocation("http://example.com/"), "http://example.com/" );
244  
-		equal( $.mobile.path.getLocation("http://foo@example.com"), "http://foo@example.com" );
245  
-		equal( $.mobile.path.getLocation("http://foo:bar@example.com"), "http://foo:bar@example.com" );
246  
-		equal( $.mobile.path.getLocation("http://<foo<:bar@example.com"), "http://%3Cfoo%3C:bar@example.com" );
247  
-		equal( $.mobile.path.getLocation("http://foo:<bar<@example.com"), "http://foo:%3Cbar%3C@example.com" );
248  
-		equal( $.mobile.path.getLocation("http://<foo<:<bar<@example.com"), "http://%3Cfoo%3C:%3Cbar%3C@example.com" );
  244
+		equal( $.mobile.path.getLocation("http://foo@example.com"), "http://example.com" );
  245
+		equal( $.mobile.path.getLocation("http://foo:bar@example.com"), "http://example.com" );
  246
+		equal( $.mobile.path.getLocation("http://<foo<:bar@example.com"), "http://example.com" );
249 247
 
250 248
 		var allUriParts = "http://jblas:password@mycompany.com:8080/mail/inbox?msg=1234&type=unread#msg-content";
251 249
 
252  
-		equal( $.mobile.path.getLocation( allUriParts ), allUriParts );
  250
+		equal( $.mobile.path.getLocation( allUriParts ), allUriParts.replace( "jblas:password@", "") );
253 251
 	});
254 252
 })(jQuery);

0 notes on commit 352f196

Markus Staab

Small whitespace error between "auto" and "decode"

Kin Blas

We might need to add a test that contains a slash or @ sign in it and see how that throws off the parsing.

Please sign in to comment.
Something went wrong with that request. Please try again.