Details
-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: EE-1.8.2.GA_P09
-
Fix Version/s: EE-1.8.2.GA_P10
-
Component/s: Bridge
-
Labels:None
-
Environment:Any
Description
After some recent work regarding potential eval injection risks in ICEfaces 3.3 and 4.2, our ICEfaces 1.8.2 code should be surveyed for other potentially dangerous uses of the eval() function, and those uses should be refactored to avoid using the eval function().
Activity
- All
- Comments
- History
- Activity
- Remote Attachments
- Subversion
r52042: refactored potentially dangerous uses of the eval() function to avoid using it
Show
Arturo Zambrano
added a comment - r52042: refactored potentially dangerous uses of the eval() function to avoid using it
Verified ICEfaces 1.8.2 r52062, Tomcat 8, WAS 8.5.5.11, MS Edge, Chrome 63, FF 53.
Show
Liana Munroe
added a comment - Verified ICEfaces 1.8.2 r52062, Tomcat 8, WAS 8.5.5.11, MS Edge, Chrome 63, FF 53.
The survey was carried out, and only the gmap code needed to be refactored.
For the sake of completeness, here's a list of all the files that use the eval() function in some way in the 1.8.2 codebase.
/bridge/lib/element.js
/bridge/lib/prototype/lang.js
/bridge/src/script.js
These framework scripts use it for evaluating contents of entire <script> elements.
/bridge/lib/scriptaculous/controls.js @790
/bridge/lib/extras/initializer.js @41,@56
/bridge/lib/extras/repository.js @39
These scripts contain instances that are not actually used by any static Javascript file or Java-rendered dynamic Javascript code.
/bridge/lib/extras/extras.js
@711 evaluates the 'handler' attribute of the ice:jsEventListener component, which is unlikely to be set by user input and is meant to be an entire function
/bridge/lib/extras/gmap.js
Contained a few instances that could contain user input. The overlay functions were removed, since there actually isn't a GMap overlay component in 1.8.2.