Caja security advisory 2016-05-31

97 views

Skip to first unread message

Kevin Reid

unread,

Jun 1, 2016, 4:10:20 PM6/1/16

to Google Caja Discuss

## Background

For applications which used the Google API tamings (not enabled by default), the taming of the `google.load` function did not sanitize its arguments sufficiently.

## Impact and Advice

The vulnerability allows invoking arbitrary functions on the host page that can be accessed through properties on the global object, with no arguments. The exact impact of this depends on the contents of the host page; for more information read about “reverse clickjacking” at https://plus.google.com/u/0/+AleksandrDobkin-Google/posts/JMwA7Y3RYzV.

All users which load `google.load.loaderFactory.js` in their Caja deployments should upgrade to Caja

v6010 https://github.com/google/caja/releases/tag/v6010 or later.

If there is a problem upgrading, it is also feasible to apply the below patch directly, but we do not recommend using old versions of Caja any longer than necessary.

## More Information

The patch for the vulnerability may be found at:

* https://codereview.appspot.com/296060043/

Reply all

Reply to author

Forward

0 new messages