ICEfaces
  1. ICEfaces
  2. ICE-11365

SECURITY: Potential 'eval' injection risk in gmap.js

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 4.2, EE-3.3.0.GA_P05
    • Fix Version/s: 4.3, EE-3.3.0.GA_P06
    • Component/s: ACE-Components
    • Labels:
      None
    • Environment:
      Any
    • Assignee Priority:
      P1

      Description

      After working on ICE-11362, it was noted that our javascript code in gmap.js uses several eval() calls. Our code should be refactored to avoid the use of the eval() function.

        Activity

        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51949 Wed Sep 27 11:39:45 MDT 2017 mircea.toma ICE-11365 Fix default value for 'options' attribute. Do not rely on a magic word to avoid sending options.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapMarkerMeta.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapLayerMeta.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapInfoWindowMeta.java
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51938 Mon Sep 25 15:34:48 MDT 2017 mircea.toma ICE-11365 Fix how options are sent. Modify name to constant mapping functions.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapLayerRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapMarkerRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapOverlayRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapServicesRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapInfoWindowRenderer.java
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51935 Thu Sep 21 17:40:37 MDT 2017 mircea.toma ICE-11365 Reformat code.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51934 Thu Sep 21 17:39:35 MDT 2017 mircea.toma ICE-11365 Fix and simplify ice.ace.gMap.addEvent function.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51933 Thu Sep 21 17:26:06 MDT 2017 mircea.toma ICE-11365 Simplify code.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51932 Thu Sep 21 17:21:36 MDT 2017 mircea.toma ICE-11365 Add semicolons where required.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51931 Thu Sep 21 17:18:10 MDT 2017 mircea.toma ICE-11365 Modify renderer to pass callback function instead of free form script.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapEventRenderer.java
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51930 Thu Sep 21 16:55:39 MDT 2017 mircea.toma ICE-11365 Modified Gmap renderers to send the 'options' parameter as JSON object (fully parsed on server side) and thus avoid any evaluation on the client.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapLayerRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapMarkerRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapOverlayRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapServicesRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapRenderer.java
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/src/org/icefaces/ace/component/gmap/GMapInfoWindowRenderer.java
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51926 Wed Sep 20 16:26:56 MDT 2017 mircea.toma ICE-11365 Fix regex for coordinates.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51925 Wed Sep 20 16:10:32 MDT 2017 mircea.toma ICE-11365 Parse and interpret the list of locations instead of blindly evaluate them.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js
        Repository Revision Date User Message
        ICEsoft Public SVN Repository #51924 Wed Sep 20 13:01:32 MDT 2017 mircea.toma ICE-11365 Use Number() function to transform strings to numbers.
        Files Changed
        Commit graph MODIFY /icefaces4/trunk/icefaces/ace/component/resources/icefaces.ace/gmap/gmap.js

          People

          • Assignee:
            Mircea Toma
            Reporter:
            Arturo Zambrano
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: