Skip to content

Commit bc24fdd

Browse files
author
zhourenjian
committed
Fixed bug that XSS does not support data with length larger than 2k(IE)/8k(FF or others)
Now sending XSS data packet by packet in orders
1 parent df215f4 commit bc24fdd

File tree

1 file changed

+52
-26
lines changed

1 file changed

+52
-26
lines changed

sources/net.sf.j2s.ajax/ajaxrpc/net/sf/j2s/ajax/SimpleRPCRequest.java

Lines changed: 52 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,9 @@ static String getClassNameURL(SimpleRPCRunnable runnable) {
9595

9696
private static void ajaxRequest(final SimpleRPCRunnable runnable) {
9797
String url = runnable.getHttpURL();
98+
if (url == null) {
99+
url = "";
100+
}
98101
String method = runnable.getHttpMethod();
99102
String serialize = runnable.serialize();
100103
if (method == null) {
@@ -331,28 +334,25 @@ protected static boolean checkXSS(String url, String serialize, SimpleRPCRunnabl
331334
* @j2sNative
332335
return function () {
333336
var g = net.sf.j2s.ajax.SimpleRPCRequest;
334-
var hKey = "h" + rnd;
335-
if (g.idSet[hKey] != null) {
336-
window.clearTimeout (g.idSet[hKey]);
337-
delete g.idSet[hKey];
338-
}
339-
if (window["net"] != null && !net.sf.j2s.ajax.SimpleRPCRequest.cleanUp(oScript)) {
337+
if (!g.cleanUp(script)) {
340338
return; // IE, not completed yet
341339
}
342-
var src = oScript.src;
343-
var idx = src.indexOf ("jzn=");
344-
var rid = src.substring (idx + 4, src.indexOf ("&", idx));
345-
net.sf.j2s.ajax.SimpleRPCRequest.xssNotify (rid, null);
346-
if (oScript.onerror != null) { // W3C
347-
oScript.onerror = oScript.onload = null;
340+
if (error) {
341+
var src = script.src;
342+
var idx = src.indexOf ("jzn=");
343+
var rid = src.substring (idx + 4, src.indexOf ("&", idx));
344+
net.sf.j2s.ajax.SimpleRPCRequest.xssNotify (rid, null);
345+
}
346+
if (script.onerror != null) { // W3C
347+
script.onerror = script.onload = null;
348348
} else { // IE
349-
oScript.onreadystatechange = null;
349+
script.onreadystatechange = null;
350350
}
351-
document.getElementsByTagName ("HEAD")[0].removeChild (oScript);
352-
oScript = null;
351+
document.getElementsByTagName ("HEAD")[0].removeChild (script);
352+
script = null;
353353
};
354354
*/
355-
native static Object generateCallback4Script(Object oScript, String rnd);
355+
native static Object generateCallback4Script(Object script, String rnd, boolean error);
356356

357357
/**
358358
* @j2sNative
@@ -368,19 +368,28 @@ protected static boolean checkXSS(String url, String serialize, SimpleRPCRunnabl
368368
script.type = "text/javascript";
369369
script.src = url + "?jzn=" + rnd + "&jzp=" + length
370370
+ "&jzc=" + (i + 1) + "&jzz=" + content;
371-
var fun = g.generateCallback4Script (script, rnd);
371+
var okFun = g.generateCallback4Script (script, rnd, false);
372+
var errFun = g.generateCallback4Script (script, rnd, true);
372373
var userAgent = navigator.userAgent.toLowerCase ();
373374
var isOpera = (userAgent.indexOf ("opera") != -1);
374375
var isIE = (userAgent.indexOf ("msie") != -1) && !isOpera;
375376
script.defer = true;
376377
if (typeof (script.onreadystatechange) == "undefined" || !isIE) { // W3C
377-
script.onerror = script.onload = fun;
378-
} else { // IE
379-
script.onreadystatechange = fun;
378+
script.onerror = errFun;
379+
script.onload = okFun;
380+
} else { // IE, IE won't detect script loading error until timeout!
381+
script.onreadystatechange = okFun;
380382
}
381383
var head = document.getElementsByTagName ("HEAD")[0];
382384
head.appendChild (script);
383-
g.idSet["h" + rnd] = window.setTimeout (fun, 30000); // 30s timeout // TODO: Expose to configuration
385+
var timeout = 30000;
386+
if (window["j2s.ajax.reqeust.timeout"] != null) {
387+
timeout = window["j2s.ajax.reqeust.timeout"];
388+
}
389+
if (timeout < 1000) {
390+
timeout = 1000; // at least 1s for timeout
391+
}
392+
g.idSet["h" + rnd] = window.setTimeout (errFun, timeout);
384393
*/
385394
native static void callByScript(String rnd, String length, String i, String content);
386395

@@ -409,11 +418,17 @@ static void xssNotify(String nameID, String response, String session) {
409418
var ss = document.getElementsByTagName ("SCRIPT");
410419
for (var i = 0; i < ss.length; i++) {
411420
var s = ss[i];
412-
if (s.src != null && s.src.indexOf ("jzn=" + nameID) != -1
421+
if (s.src != null && s.src.indexOf ("jzn=" + nameID) != -1 // FIXME: Not totally safe
413422
&& s.readyState == "interactive") {
414423
s.onreadystatechange = net.sf.j2s.ajax.SimpleRPCRequest.ieScriptCleanup;
415424
}
416425
}
426+
}
427+
var hKey = "h" + nameID;
428+
var g = net.sf.j2s.ajax.SimpleRPCRequest;
429+
if (g.idSet[hKey] != null) {
430+
window.clearTimeout (g.idSet[hKey]);
431+
delete g.idSet[hKey];
417432
}
418433
*/ { }
419434
if (response == "continue") {
@@ -425,16 +440,27 @@ static void xssNotify(String nameID, String response, String session) {
425440
}
426441
var k = "x" + nameID;
427442
var xcontent = g.idSet[k];
428-
// TODO: The following codes should be modified to send out requests one by one.
429443
if (xcontent != null) {
444+
// Send out requests one by one.
430445
for (var i = 0; i < xcontent.length; i++) {
431446
if (xcontent[i] != null) {
432447
g.callByScript(nameID, xcontent.length, i, xcontent[i]);
433448
xcontent[i] = null;
449+
break;
434450
}
435-
}
436-
g.idSet[k] = null;
437-
delete g.idSet[k];
451+
}
452+
453+
var more = false;
454+
for (var i = xcontent.length - 1; i >= 0; i--) {
455+
if (xcontent[i] != null) {
456+
more = true;
457+
break;
458+
}
459+
}
460+
if (!more) { // all contents are sent
461+
g.idSet[k] = null;
462+
delete g.idSet[k];
463+
}
438464
}
439465
*/ {}
440466
return;

0 commit comments

Comments
 (0)