Permalink
Browse files

Fixed a small security hole: release notes specified with a file:// U…

…RL would be able to read files on your file system through Javascript (basically a cross-site scripting attack). file:// URLs are therefore no longer supported for release notes.
  • Loading branch information...
1 parent 478e0a5 commit 7f5689835ba4ebb40f573c18786a76c61c71923e @andymatuschak andymatuschak committed Sep 10, 2008
Showing with 8 additions and 1 deletion.
  1. +8 −1 SUUpdateAlert.m
View
@@ -79,7 +79,14 @@ - (void)displayReleaseNotes
// If there's a release notes URL, load it; otherwise, just stick the contents of the description into the web view.
if ([updateItem releaseNotesURL])
{
- [[releaseNotesView mainFrame] loadRequest:[NSURLRequest requestWithURL:[updateItem releaseNotesURL] cachePolicy:NSURLRequestReloadIgnoringCacheData timeoutInterval:30]];
+ if ([[updateItem releaseNotesURL] isFileURL])
+ {
+ [[releaseNotesView mainFrame] loadHTMLString:@"Release notes with file:// URLs are not supported for security reasons—Javascript would be able to read files on your file system." baseURL:nil];
+ }
+ else
+ {
+ [[releaseNotesView mainFrame] loadRequest:[NSURLRequest requestWithURL:[updateItem releaseNotesURL] cachePolicy:NSURLRequestReloadIgnoringCacheData timeoutInterval:30]];
+ }
}
else
{

0 comments on commit 7f56898

Please sign in to comment.