1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Accidental AJAX Variable Injection

Discussion in 'Resolved Bug Reports' started by digitalpoint, Jan 26, 2013.

  1. digitalpoint

    digitalpoint Well-Known Member

    In xenforo.js, this:

    Code:
    data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + window.location.search);
    should be:
    Code:
    [code]data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + escape(window.location.search));
    [/code]

    Without it, variables from the URL in the CURRENT page get injected into the AJAX request.

    For example from this URL: https://advertising.digitalpoint.com/advertiser?action=ads&site_id=2

    Any AJAX request that does not have site_id=2 in it actually gets site_id=2 accidentally injected into the request because of the lack of URL encoding on the _xfRequestUri variable.
     
  2. Adam Howard

    Adam Howard Well-Known Member

    Fixed your code. :D

    You originally had some of the BB Code in it ;) :p



    In xenforo.js, this:

    Code:
    data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + window.location.search);
    should be:
    Code:
    data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + escape(window.location.search));


    (Also someone crazy enough to copy & past without looking & so I didn't want anyone making the mistake)

    Capture.PNG
     
    digitalpoint likes this.
  3. Adam Howard

    Adam Howard Well-Known Member

    Can not confirm

    Can not find your code in xenforo.js
     
  4. digitalpoint

    digitalpoint Well-Known Member

  5. cclaerhout

    cclaerhout Well-Known Member

    Look the full source js... but you will need to reminify it after.
     
    Adam Howard likes this.
  6. cclaerhout

    cclaerhout Well-Known Member

    -I was wrong :( -
     
  7. Adam Howard

    Adam Howard Well-Known Member

  8. cclaerhout

    cclaerhout Well-Known Member

    Can someone please confirm what I've just checked and if it's the case, please Jake or Slavik make this post as important !!!
     
  9. cclaerhout

    cclaerhout Well-Known Member

    Adam Howard likes this.
  10. Adam Howard

    Adam Howard Well-Known Member

    * Sigh *

    I need coffee :coffee: (brains out the window, assuming there were there in the first place)

    I have mix results manually minifying things on my PC. Sound be interesting.
     
  11. digitalpoint

    digitalpoint Well-Known Member

    Where's the link to that bug?
     
  12. cclaerhout

    cclaerhout Well-Known Member

  13. cclaerhout

    cclaerhout Well-Known Member

    -I was wrong :( -Sorry -
    Bug is still there.

    The last I can do is to put the replacement to do directly in the minify xenforo.js
    Search:
    Code:
    b=XenForo.ajaxDataPush(b,"_xfRequestUri",g.location.pathname+g.location.search)
    Replace with:
    Code:
    b=XenForo.ajaxDataPush(b,"_xfRequestUri",g.location.pathname+escape(g.location.search))
     
  14. Jake Bunce

    Jake Bunce XenForo Moderator Staff Member

    cclaerhout likes this.
  15. Mike

    Mike XenForo Developer Staff Member

    Fixed, though the underlying issue is with ajaxDataPush. It needed to do better escaping.
     
    p4guru and Slavik like this.

Share This Page