> --
> You received this message because you are subscribed to the Google Groups
> "Lift" group.
> To post to this group, send email to lif...@googlegroups.com.
> To unsubscribe from this group, send email to
> liftweb+u...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/liftweb?hl=en.
>
2010/2/2 Naftoli Gugenheim <nafto...@gmail.com>:
From: Naftoli Gugenheim <nafto...@gmail.com>If you scan the whole page wouldn't it affect performance? Or will you
To: liftweb <lif...@googlegroups.com>
Sent: Wed, Feb 3, 2010 01:31:24 GMT+00:00
Subject: Re: [Lift] Lift security vulnerability
put a safeguard in the input field / processing query parameters?
2010/2/2 Naftoli Gugenheim :
> Is that not a defect of the browsers?
>
The xml spec only allows tab, cr, and lf... no other control chars.
The defect is in the scala.xml.Utility.escape method
This method is an amazing piece of crap... every character in the string is wrapped in a Character object and then wrapped in a Cons cell.
I vote for 2.0-M2.
> I'd like to get a sense of how important the community views this defect.
> Is it a "backport the fix to every milestone and release yesterday" or is it
> a "fix it in 2.0-M2" or someplace in between.
For me, it's fix it in 2.0-SNAPSHOT
/Jeppe
Fix it in head, no need to back-port; M2 is only around the corner.
Cheers, Tim
2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x
'unsupported' yet. Forcing apps to move to 2.0-M2 just for this
vulnerability fix isn't fun.
Cheers, Indrajit
I was wondering if the fix for the control characters issue was
included in 2.0-M2. I just did a test with our Lift application built
with 2.0-M2 and I am still seeing problems (i.e. javascript exceptions
- NS_ERROR_INVALID_POINTER).
Thanks in advance.
Dan
On Feb 3, 9:08 am, David Pollak <feeder.of.the.be...@gmail.com> wrote:
> Thanks for pointing that out. There are other problems as well... I'll fix
> them (in both the Scala and Lift diffs)
>
>
>
>
>
> On Wed, Feb 3, 2010 at 7:39 AM, Feng Zhang <sharpzh...@gmail.com> wrote:
> > I found that in the fix, \n is changed to \t, while \t to \n. Is this
> > desired behavior?
>
> > Thank you,
>
> > Feng
>
> > On Wed, Feb 3, 2010 at 9:20 AM, Indrajit Raychaudhuri <indraj...@gmail.com
> > > wrote:
>
> >> 1. Fix in head/master (2.0-SNAPSHOT) and prepone 2.0-M2.
>
> >> 2. Backport in 1.0.x branch and spin 1.0.4. We haven't marked 1.0.x
> >> 'unsupported' yet. Forcing apps to move to 2.0-M2 just for this
> >> vulnerability fix isn't fun.
>
> >> Cheers, Indrajit
>
> >> On 03/02/10 3:34 PM, Timothy Perrett wrote:
>
> >>> +1
>
> >>> Fix it in head, no need to back-port; M2 is only around the corner.
>
> >>> Cheers, Tim
>
> >>> On 3 Feb 2010, at 09:49, Jeppe Nejsum Madsen wrote:
>
> >>> David Pollak<feeder.of.the.be...@gmail.com> writes:
>
> >>>> I'd like to get a sense of how important the community views this
> >>>>> defect.
> >>>>> Is it a "backport the fix to every milestone and release yesterday" or
> >>>>> is it
> >>>>> a "fix it in 2.0-M2" or someplace in between.
>
> >>>> For me, it's fix it in 2.0-SNAPSHOT
>
> >>>> /Jeppe
>
> >>>> --
> >>>> You received this message because you are subscribed to the Google
> >>>> Groups "Lift" group.
> >>>> To post to this group, send email to lif...@googlegroups.com.
> >>>> To unsubscribe from this group, send email to
> >>>> liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> >>>> .
> >>>> For more options, visit this group at
> >>>>http://groups.google.com/group/liftweb?hl=en.
>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "Lift" group.
> >> To post to this group, send email to lif...@googlegroups.com.
> >> To unsubscribe from this group, send email to
> >> liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> >> .
> >> For more options, visit this group at
> >>http://groups.google.com/group/liftweb?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Lift" group.
> > To post to this group, send email to lif...@googlegroups.com.
> > To unsubscribe from this group, send email to
> > liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> > .
> > For more options, visit this group at
> >http://groups.google.com/group/liftweb?hl=en.
>
> --
> Lift, the simply functional web frameworkhttp://liftweb.net
> Beginning Scalahttp://www.apress.com/book/view/1430219890
For these problems, I am not sure if the issue if the example or the
framework. If the issue is with the example, it would be good to know
what Lift apps need to do to avoid getting bitten by binary characters
entered into form fields.
Thanks in advance.
Dan
Thanks in advance.
Dan
Don't know if this remaining problem is supposed to be handled by the
application or framework, but thought I would make a post to alert the
group.
Dan
On Feb 24, 11:49 am, Dano <olearydani...@gmail.com> wrote:
> The recent scala days conference activity may have cause the updates
> to this thread to escape notice. Just wondering if there is concern
> about the remaining binary character problems I noted in my prior
> post.
>
> Thanks in advance.
>
> Dan
>
> On Feb 22, 1:34 pm, Dano <olearydani...@gmail.com> wrote:
>
> > More information on this in case anyone is interested. If you go to
> > theliftdemo website, it appears the issue with characters is mostly
> > addressed except for the "Misc code" section. Specifically, the
> > "Wizard", "Wizard Challenge" and "Arc Challenge #1" examples will
> > generate XML parsing errors.
>
> > For these problems, I am not sure if the issue if the example or the
> > framework. If the issue is with the example, it would be good to know
> > whatLiftapps need to do to avoid getting bitten by binary characters
> > entered into form fields.
>
> > Thanks in advance.
>
> > Dan
>
> > On Feb 17, 11:06 am, Dano <olearydani...@gmail.com> wrote:
>
> > > Hello,
>
> > > I was wondering if the fix for the control characters issue was
> > > included in 2.0-M2. I just did a test with ourLiftapplication built
Just saw that Lift 2.0-M3 was released. I looked to see if the
vulnerability was still present in demo.liftweb.net
To unsubscribe from this group, send email to liftweb+u...@googlegroups.com.
-------------------------------------
Dano<oleary...@gmail.com> wrote:
Just saw that Lift 2.0-M3 was released. I looked to see if the
vulnerability was still present in demo.liftweb.net and I am still
-Ross
Dan
On Mar 4, 7:33 pm, Ross Mellgren <dri...@gmail.com> wrote:
> Check dpp's response as of 8:01
>
> -Ross
>
> On Mar 4, 2010, at 7:49 PM, Naftoli Gugenheim wrote:
>
>
>
> > What version is the demo running?
>
> > -------------------------------------
> > For more options, visit this group athttp://groups.google.com/group/liftweb?hl=en.
-------------------------------------
I am poking at the demo lift application to try to flush out issues
common to the group and understand what is a framework issue and what
needs to be addressed by the application.
Thanks.
Dan
On Mar 5, 9:47 am, Naftoli Gugenheim <naftoli...@gmail.com> wrote:
> Can you reproduce the vulnerability in your own M3 app?
>
> -------------------------------------
>
Thanks.
Dan
I would never claim to be astute. However, I did observe that
demo.liftweb.net is now built using 2.0-M3 as is clearly listed at the
bottom of the page. I also observed that the Wizard example is still
broken (paste binary characters into 'First Name' and then click the
Next button). I have not yet registered for an account with Assembla
but would be happy to file the bug.
I think I would like to amend my last post by asking if it is possible
that the lift-json library support the ability to strip out binary
characters since many times an application uses the results of JSON
operations to render back to the client.
Cheers, Tim
As to JSON, our client side code is sending JSON containing what the
user entered in the form. Based on the above, it sounds like we
should strip the binary characters when processing the JSON commands.
Thanks.
Dan
On Mar 5, 10:49 am, David Pollak <feeder.of.the.be...@gmail.com>
wrote:
> > <liftweb%2Bunsu...@googlegroups.com<liftweb%252Bunsubscribe@googlegroup s.com>>
> > > > > >>>>>>>>> .
> > > > > >>>>>>>>> For more options, visit this group at
> > > > > >>>>>>>>>http://groups.google.com/group/liftweb?hl=en.
>
> > > > > >>>>>>> --
> > > > > >>>>>>> You received this message because you are subscribed to the
> > Google Groups
> > > > > >>>>>>> "Lift" group.
> > > > > >>>>>>> To post to this group, send email to
> > lif...@googlegroups.com.
> > > > > >>>>>>> To unsubscribe from this group, send email to
> > > > > >>>>>>> liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> > <liftweb%2Bunsu...@googlegroups.com<liftweb%252Bunsubscribe@googlegroup s.com>>
> > > > > >>>>>>> .
> > > > > >>>>>>> For more options, visit this group at
> > > > > >>>>>>>http://groups.google.com/group/liftweb?hl=en.
>
> > > > > >>>>>> --
> > > > > >>>>>> You received this message because you are subscribed to the
> > Google Groups
> > > > > >>>>>> "Lift" group.
> > > > > >>>>>> To post to this group, send email to lif...@googlegroups.com
> > .
> > > > > >>>>>> To unsubscribe from this group, send email to
> > > > > >>>>>> liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> > <liftweb%2Bunsu...@googlegroups.com<liftweb%252Bunsubscribe@googlegroup s.com>>
> > > > > >>>>>> .
> > > > > >>>>>> For more options, visit this group at
> > > > > >>>>>>http://groups.google.com/group/liftweb?hl=en.
>
> > > > > >>>>> --
> > > > > >>>>> Lift, the simply functional web frameworkhttp://liftweb.net
> > > > > >>>>> Beginning Scalahttp://www.apress.com/book/view/1430219890
> > > > > >>>>> Follow me:http://twitter.com/dpp
> > > > > >>>>> Surf the harmonics
>
> > > > > > --
> > > > > > You received this message because you are subscribed to the Google
> > Groups "Lift" group.
> > > > > > To post to this group, send email to lif...@googlegroups.com.
> > > > > > To unsubscribe from this group, send email to
> > liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> > .
> > > > > > For more options, visit this group athttp://
> > groups.google.com/group/liftweb?hl=en.
>
> > > > > > --
> > > > > > You received this message because you are subscribed to the Google
> > Groups "Lift" group.
> > > > > > To post to this group, send email to lif...@googlegroups.com.
> > > > > > To unsubscribe from this group, send email to
> > liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> > .
> > > > > > For more options, visit this group athttp://
> > groups.google.com/group/liftweb?hl=en.
>
> > > > --
> > > > You received this message because you are subscribed to the Google
> > Groups "Lift" group.
> > > > To post to this group, send email to lif...@googlegroups.com.
> > > > To unsubscribe from this group, send email to
> > liftweb+u...@googlegroups.com<liftweb%2Bunsu...@googlegroups.com >
> > .
> > > > For more options, visit this group athttp://
> > groups.google.com/group/liftweb?hl=en.
>
> > --
> > You received this message because you are subscribed to
>
> ...
>
> read more »
I should have been more clear on 'pasting binary characters'. At the
url http://www.webmasterworld.com/forum39/1098.htm, they talk about an
issue with binary characters. I copied the 'square character' text
(which I have confirmed are binary) from that page into the Wizard
example on the demo lift site.
To unsubscribe from this group, send email to liftweb+u...@googlegroups.com.
json map {
case JString(s) => JString(sripOutBinaryChars(s))
case x => x
}
(You just need to implement that sripOutBinaryChars function...).
Cheers Joni
On Mar 5, 8:26 pm, Dano <olearydani...@gmail.com> wrote:
> I think I would like to amend my last post by asking if it is possible
> that the lift-jsonlibrary support the ability to strip out binary
> characters since many times an application uses the results ofJSON
> operations to render back to the client.
>
> Thanks.
>
> Dan
>
> On Mar 5, 9:53 am, Dano <olearydani...@gmail.com> wrote:
>
> > I can reproduce it in our application, but I think it is not
> > necessarily due to Lift. This is what I am trying to sort out. We
> > have client-side javascript which is sendingJSONcommands to the
Dan