Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

disable Uzbl javascript object because of security problem.

  • Loading branch information...
commit 1958b52d41cba96956dc1995660de49525ed1047 1 parent 4994115
@Dieterbe Dieterbe authored
Showing with 1 addition and 35 deletions.
  1. +1 −20 README
  2. +0 −5 tests/test-command.c
  3. +0 −10 uzbl-core.c
View
21 README
@@ -397,7 +397,7 @@ The script specific arguments are this:
Custom, userdefined scripts (`spawn foo bar`) get first the arguments as specified in the config and then the above 7 are added at the end.
-### JAVASCRIPT HELPER OBJECT
+### JAVASCRIPT HELPER OBJECT DISABLED BECAUSE OF SECURITY LEAK
Javascript code run from uzbl is given a special object in the global namespace which gives special privileges to these scripts. This object is called `Uzbl`, and it is added and removed before and after the script execution so that it is hidden to web javascripts (There is no race condition, since all the javascript code runs in a single thread)
@@ -410,25 +410,6 @@ Currently, the `Uzbl` object provides only one function:
* `Uzbl.run("spawn insert_bookmark.sh")`
* `uri = Uzbl.run("print @uri")` (see variable expansion below)
-### JAVASCRIPT SECURITY
-
-Since defined variables and functions are set in the global namespace (`window` object) as default, it is recommended to wrap your scripts like this:
-
- (function(Uzbl) {
- ...
- })(Uzbl);
-
-This way, everything is kept private. It also turns Uzbl into a local variable, which can be accessed from callback functions defined inside. However for some situations, isolating everything isn't an option, for example, with binds. You can define them directly in the script body, and use `var Uzbl = window.Uzbl;` to make the Uzbl variable local, as in the following example:
-
- function f() {
- var Uzbl = window.Uzbl;
- Uzbl.run(...);
- setTimeout(function() {
- Uzbl.run(...);
- }, 500);
- }
-
-Copying the Uzbl object and creating public functions should be taken with care to avoid creating security holes. Keep in mind that the "f" function above would be defined in the `window` object, and as such any javascript in the current page can call it.
### EVENTS ###
View
5 tests/test-command.c
@@ -305,11 +305,6 @@ test_js (void) {
parse_cmd_line("js ('x' + 345).toUpperCase()", result);
g_assert_cmpstr("X345", ==, result->str);
- /* uzbl commands can be run from javascript */
- uzbl.net.useragent = "Test useragent";
- parse_cmd_line("js Uzbl.run('print @useragent').toUpperCase();", result);
- g_assert_cmpstr("TEST USERAGENT", ==, result->str);
-
g_string_free(result, TRUE);
}
View
10 uzbl-core.c
@@ -1046,7 +1046,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) {
WebKitWebFrame *frame;
JSGlobalContextRef context;
JSObjectRef globalobject;
- JSStringRef var_name;
JSStringRef js_script;
JSValueRef js_result;
@@ -1059,12 +1058,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) {
context = webkit_web_frame_get_global_context(frame);
globalobject = JSContextGetGlobalObject(context);
- /* uzbl javascript namespace */
- var_name = JSStringCreateWithUTF8CString("Uzbl");
- JSObjectSetProperty(context, globalobject, var_name,
- JSObjectMake(context, uzbl.js.classref, NULL),
- kJSClassAttributeNone, NULL);
-
/* evaluate the script and get return value*/
js_script = JSStringCreateWithUTF8CString(script);
js_result = JSEvaluateScript(context, js_script, globalobject, NULL, 0, NULL);
@@ -1082,9 +1075,6 @@ eval_js(WebKitWebView * web_view, gchar *script, GString *result) {
}
/* cleanup */
- JSObjectDeleteProperty(context, globalobject, var_name, NULL);
-
- JSStringRelease(var_name);
JSStringRelease(js_script);
}
Please sign in to comment.
Something went wrong with that request. Please try again.