Caja Security Advisory 2016-04-21

31 views

Skip to first unread message

Kevin Reid

unread,

Apr 21, 2016, 6:06:05 PM4/21/16

to Google Caja Discuss

## Background

There are two issues covered by this advisory:

* SES did not correctly understand variable names written using escaped characters, e.g. `\u0077indow`, and did not recognize at all the new `\u{...}` syntax introduced by ECMAScript 2015. This allowed access to host global variables (such as `window` and `document`) by spelling them with escaped characters.

* For applications which used the Google API tamings (not enabled by default), the taming of the Charts / Visualization API did not protect against all means of causing chart data to be interpreted as arbitrary HTML.

## Impact and Advice

This is a complete breach of the Caja sandbox. All users should immediately upgrade to Caja

v6008 https://github.com/google/caja/releases/tag/v6008 or later.

## More Information

Discussion of the fix for SES may be found at:

* https://codereview.appspot.com/285330043/

* https://codereview.appspot.com/283510043/

Note that we have included an additional “backstop” protection to reduce the exploitability of any future errors in variable name processing.

Discussion of the fix for Charts taming may be found at:

* https://codereview.appspot.com/286220043/

Reply all

Reply to author

Forward

0 new messages