Mercurial > kallithea

changeset 6326:1b448d8a422f

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
utils: fix broken URL in jsonify warning Also add a note summarizing the linked concerns.
author Søren Løvborg <sorenl@unity3d.com>
date Mon, 07 Nov 2016 15:09:13 +0100
parents aa2542a6538b
children a2db1b9be04d
files kallithea/lib/utils.py
diffstat 1 files changed, 6 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/lib/utils.py	Fri Sep 23 21:14:40 2016 +0200
+++ b/kallithea/lib/utils.py	Mon Nov 07 15:09:13 2016 +0100
@@ -718,9 +718,14 @@
     pylons.response.headers['Content-Type'] = 'application/json; charset=utf-8'
     data = func(*args, **kwargs)
     if isinstance(data, (list, tuple)):
+        # A JSON list response is syntactically valid JavaScript and can be
+        # loaded and executed as JavaScript by a malicious third-party site
+        # using <script>, which can lead to cross-site data leaks.
+        # JSON responses should therefore be scalars or objects (i.e. Python
+        # dicts), because a JSON object is a syntax error if intepreted as JS.
         msg = "JSON responses with Array envelopes are susceptible to " \
               "cross-site data leak attacks, see " \
-              "http://wiki.pylonshq.com/display/pylonsfaq/Warnings"
+              "https://web.archive.org/web/20120519231904/http://wiki.pylonshq.com/display/pylonsfaq/Warnings"
         warnings.warn(msg, Warning, 2)
         log.warning(msg)
     log.debug("Returning JSON wrapped action output")