[Tickets #13379] Discontinue eval
noreply at bugs.horde.org
noreply at bugs.horde.org
Sat Jul 19 16:28:20 UTC 2014
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/13379
------------------------------------------------------------------------------
Ticket | 13379
Created By | o+horde at immerda.ch
Summary | Discontinue eval
Queue | IMP
Version | 6.2.0
Type | Enhancement
State | New
Priority | 2. Medium
Milestone |
Patch |
Owners |
------------------------------------------------------------------------------
o+horde at immerda.ch (2014-07-19 16:28) wrote:
We are in the process of deploying csp headers for horde. Through that
we discovered usage of js eval in horde. Especially for a webmail and
the associated danger of injections it would be nice if horde could
discontinue the use of eval (and maybe even inline js/css).
One particular case we see is in DimpBase>>loadPreview. It seems it is
only used atm to display modal dialogs from
horde/imp/lib/Ajax/Imple/PassphraseDialog.php.
Then in the dynamic composer:
new Function("t", "return t.sub(/<[^>]*>$/,
\"\").strip().escapeHTML()") afaik this is a static string, so why
even new Function?
Then there are some reports from
/imp/dynamic.php?page=message&mailbox=... that I was not able to
tackle yet.
There might be more occurrences.
If you are interested in fixing those, we can provide more data as
soon as we have better processing for the logs.
More information about the bugs
mailing list