Two vunlerability fixes:

- Fix #9095 XSS vulnerability - Fix #5094 DoS vulnerability
emweb · Jul 13, 2016 · 95b2ad9 · 95b2ad9
1 parent 448ccbf
commit 95b2ad9
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/examples/wt-homepage/Home.C b/examples/wt-homepage/Home.C
@@ -425,7 +425,8 @@ WString Home::tr(const char *key)
 
 void Home::googleAnalyticsLogger()
 {
-  doJavaScript("if (window.ga) ga('send','pageview','"
-	       + environment().deploymentPath() + internalPath() + "');");
+  doJavaScript("if (window.ga) ga('send','pageview',"
+	       + WWebWidget::jsStringLiteral(environment().deploymentPath() 
+					     + internalPath()) + ");");
 }
 
diff --git a/src/web/WebRenderer.C b/src/web/WebRenderer.C
@@ -106,6 +106,7 @@ WebRenderer::WebRenderer(WebSession& session)
     pageId_(0),
     expectedAckId_(0),
     scriptId_(0),
+    ackErrs_(0),
     linkedCssCount_(-1),
     currentStatelessSlotIsActuallyStateless_(true),
     formObjectsChanged_(true),
@@ -211,10 +212,12 @@ bool WebRenderer::ackUpdate(int updateId)
     LOG_DEBUG("jsSynced(false) after ackUpdate okay");
     setJSSynced(false);
     ++expectedAckId_;
+    ackErrs_ = 0;
     return true;
   } else if ((updateId < expectedAckId_ && expectedAckId_ - updateId < 5)
 	     || (expectedAckId_ - 5 < updateId)) {
-    return true; // That's still acceptible but no longer plausible
+    ++ackErrs_;
+    return ackErrs_ < 3; // That's still acceptible but no longer plausible
   } else
     return false;
 }
@@ -342,6 +345,7 @@ void WebRenderer::streamBootContent(WebResponse& response,
   bootJs.setVar("SESSION_ID", session_.sessionId());
 
   expectedAckId_ = scriptId_ = WRandom::get();
+  ackErrs_ = 0;
 
   bootJs.setVar("SCRIPT_ID", scriptId_);
   bootJs.setVar("RANDOMSEED", WRandom::get());
@@ -351,7 +355,7 @@ void WebRenderer::streamBootContent(WebResponse& response,
   bootJs.setVar("AJAX_CANONICAL_URL",
 		safeJsStringLiteral(session_.ajaxCanonicalUrl(response)));
   bootJs.setVar("APP_CLASS", "Wt");
-  bootJs.setVar("PATH_INFO", WWebWidget::jsStringLiteral
+  bootJs.setVar("PATH_INFO", safeJsStringLiteral
 		(session_.pagePathInfo_));
 
   bootJs.setCondition("COOKIE_CHECKS", conf.cookieChecks());
@@ -884,6 +888,7 @@ void WebRenderer::serveMainscript(WebResponse& response)
     }
   } else {
     expectedAckId_ = scriptId_ = WRandom::get();
+    ackErrs_ = 0;
   }
 
   WApplication *app = session_.app();

diff --git a/src/web/WebRenderer.h b/src/web/WebRenderer.h
@@ -104,7 +104,7 @@ class WT_API WebRenderer : public Wt::SlotLearnerInterface
   WebSession& session_;
 
   bool visibleOnly_, rendered_, initialStyleRendered_;
-  int twoPhaseThreshold_, pageId_, expectedAckId_, scriptId_;
+  int twoPhaseThreshold_, pageId_, expectedAckId_, scriptId_, ackErrs_;
   int linkedCssCount_;
   std::string solution_;