_Bastler/partey_workadventure
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Fixed potential injection by switching map container to PHP

Browse Source 
Some HTML files were importing iframe_api.js automatically by detecting the referrer document.

While this was done in a safe way (the map container does not use cookies), it is not
a best practice to load a script originating from document.referrer.

This PR solves the issue by using PHP to inject the correct domain name in the HTML files.
This commit is contained in:
David Négrier
2021-11-29 19:05:13 +01:00
parent 233c3d1abe
commit 41fd848fa0
27 changed files with 167 additions and 204 deletions
Download Patch File Download Diff File Expand all files Collapse all files
maps/tests/Metadata/cowebsiteAllowApi.html
-18
View File
@@ -1,18 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body>
<p>Website opened by script.</p>
</body>
</html>
maps/tests/Metadata/cowebsiteAllowApi.js
+1 -1
View File
@@ -1 +1 @@
WA.nav.openCoWebSite("cowebsiteAllowApi.html", true, "");
WA.nav.openCoWebSite("cowebsiteAllowApi.php", true, "");
maps/tests/Metadata/cowebsiteAllowApi.php
+14
View File
@@ -0,0 +1,14 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body>
<p>Website opened by script.</p>
</body>
</html>
maps/tests/Metadata/customIframeMenuApi.html
-20
View File
@@ -1,20 +0,0 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>API in iframe menu</title>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body style="text-align: center">
<p style="color: whitesmoke">This is an iframe in a custom menu.</p>
</body>
</html>
maps/tests/Metadata/customIframeMenuApi.php
+16
View File
@@ -0,0 +1,16 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>API in iframe menu</title>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.chat.sendChatMessage('The iframe opened by a script works !', 'Mr Robot');
})
</script>
</head>
<body style="text-align: center">
<p style="color: whitesmoke">This is an iframe in a custom menu.</p>
</body>
</html>
maps/tests/Metadata/customMenu.html
-18
View File
@@ -1,18 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.ui.registerMenuCommand('test', 'customIframeMenu.html', {autoClose: true});
})
</script>
</head>
<body>
<p>Add a custom menu</p>
</body>
</html>
maps/tests/Metadata/customMenu.js
+2 -2
View File
@@ -7,9 +7,9 @@ WA.ui.registerMenuCommand('custom callback menu', () => {
WA.ui.registerMenuCommand('custom iframe menu', {iframe: 'customIframeMenu.html'});
WA.room.onEnterZone('iframeMenu', () => {
menuIframeApi = WA.ui.registerMenuCommand('IFRAME USE API', {iframe: 'customIframeMenuApi.html', allowApi: true});
menuIframeApi = WA.ui.registerMenuCommand('IFRAME USE API', {iframe: 'customIframeMenuApi.php', allowApi: true});
})
WA.room.onLeaveZone('iframeMenu', () => {
menuIframeApi.remove();
})
})
maps/tests/Metadata/customMenu.json
+2 -2
View File
@@ -54,7 +54,7 @@
{
"name":"openWebsite",
"type":"string",
"value":"customMenu.html"
"value":"customMenu.php"
},
{
"name":"openWebsiteAllowApi",
@@ -97,4 +97,4 @@
"type":"map",
"version":"1.6",
"width":10
}
}
maps/tests/Metadata/customMenu.php
+14
View File
@@ -0,0 +1,14 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.ui.registerMenuCommand('test', 'customIframeMenu.html', {autoClose: true});
})
</script>
</head>
<body>
<p>Add a custom menu</p>
</body>
</html>
maps/tests/Metadata/playerMove.html
-18
View File
@@ -1,18 +0,0 @@
<!doctype html>
<html lang="en">
<head>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.player.onPlayerMove(console.log);
})
</script>
</head>
<body>
<p>Log in the console the movement of the current player in the zone of the iframe</p>
</body>
</html>
maps/tests/Metadata/playerMove.json
+21 -21
View File
@@ -13,7 +13,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
"height":10,
@@ -25,7 +25,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@@ -36,8 +36,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"playerMove.html"
},
"value":"playerMove.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@@ -48,7 +48,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":5,
@@ -105,7 +105,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":1,
"properties":[
@@ -114,7 +114,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":2,
"properties":[
@@ -123,7 +123,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":3,
"properties":[
@@ -132,7 +132,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":4,
"properties":[
@@ -141,7 +141,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":8,
"properties":[
@@ -150,7 +150,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":9,
"properties":[
@@ -159,7 +159,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":10,
"properties":[
@@ -168,7 +168,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":11,
"properties":[
@@ -177,7 +177,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":12,
"properties":[
@@ -186,7 +186,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":16,
"properties":[
@@ -195,7 +195,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":17,
"properties":[
@@ -204,7 +204,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":18,
"properties":[
@@ -213,7 +213,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":19,
"properties":[
@@ -222,7 +222,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":20,
"properties":[
@@ -233,7 +233,7 @@
}]
}],
"tilewidth":32
},
},
{
"columns":8,
"firstgid":65,
@@ -251,4 +251,4 @@
"type":"map",
"version":1.4,
"width":10
}
}
maps/tests/Metadata/playerMove.php
+14
View File
@@ -0,0 +1,14 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
window.addEventListener('load', () => {
WA.player.onPlayerMove(console.log);
})
</script>
</head>
<body>
<p>Log in the console the movement of the current player in the zone of the iframe</p>
</body>
</html>
maps/tests/Metadata/setProperty.json
+22 -22
View File
@@ -13,7 +13,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
"height":10,
@@ -25,7 +25,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@@ -36,8 +36,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"setProperty.html"
},
"value":"setProperty.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@@ -48,7 +48,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 101, 101, 101, 101, 101, 0, 0, 0, 0, 0, 101, 101, 101, 101, 101, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@@ -60,7 +60,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":5,
@@ -117,7 +117,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":1,
"properties":[
@@ -126,7 +126,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":2,
"properties":[
@@ -135,7 +135,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":3,
"properties":[
@@ -144,7 +144,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":4,
"properties":[
@@ -153,7 +153,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":8,
"properties":[
@@ -162,7 +162,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":9,
"properties":[
@@ -171,7 +171,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":10,
"properties":[
@@ -180,7 +180,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":11,
"properties":[
@@ -189,7 +189,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":12,
"properties":[
@@ -198,7 +198,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":16,
"properties":[
@@ -207,7 +207,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":17,
"properties":[
@@ -216,7 +216,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":18,
"properties":[
@@ -225,7 +225,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":19,
"properties":[
@@ -234,7 +234,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":20,
"properties":[
@@ -245,7 +245,7 @@
}]
}],
"tilewidth":32
},
},
{
"columns":8,
"firstgid":65,
@@ -263,4 +263,4 @@
"type":"map",
"version":1.4,
"width":10
}
}
maps/tests/Metadata/setProperty.html → maps/tests/Metadata/setProperty.php
+2 -6
View File
@@ -1,12 +1,8 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.room.setProperty('iframeTest', 'openWebsite', 'https://www.wikipedia.org/');
WA.room.setProperty('metadata', 'openWebsite', 'https://www.wikipedia.org/');
@@ -16,4 +12,4 @@
<body>
<p>Change the url of this iframe and add the 'openWebsite' property to the red tile layer</p>
</body>
</html>
</html>
maps/tests/Metadata/setTiles.html
+1 -5
View File
@@ -1,12 +1,8 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
WA.room.setTiles([
maps/tests/Metadata/setTiles.json
+1 -1
View File
@@ -43,7 +43,7 @@
{
"name":"openWebsite",
"type":"string",
"value":"setTiles.html"
"value":"setTiles.php"
},
{
"name":"openWebsiteAllowApi",
maps/tests/Metadata/showHideLayer.html
+2 -6
View File
@@ -1,12 +1,8 @@
<!doctype html>
<html lang="en">
<head>
<script src="<?php echo $_SERVER["FRONT_URL"] ?>/iframe_api.js"></script>
<script>
var script = document.createElement('script');
// Don't do this at home kids! The "document.referrer" part is actually inserting a XSS security.
// We are OK in this precise case because the HTML page is hosted on the "maps" domain that contains only static files.
script.setAttribute('src', document.referrer + 'iframe_api.js');
document.head.appendChild(script);
window.addEventListener('load', () => {
document.getElementById('show/hideLayer').onclick = () => {
if (document.getElementById('show/hideLayer').checked) {
@@ -24,4 +20,4 @@
<label for="show/hideLayer">Crysal Layer : </label><input type="checkbox" id="show/hideLayer" name="visible" value="show" checked>
</div>
</body>
</html>
</html>
maps/tests/Metadata/showHideLayer.json
+22 -22
View File
@@ -13,7 +13,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[33, 34, 34, 34, 34, 34, 34, 34, 34, 35, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 41, 42, 42, 42, 42, 42, 42, 42, 42, 43, 49, 50, 50, 50, 50, 50, 50, 50, 50, 51],
"height":10,
@@ -25,7 +25,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[22, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 22, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@@ -37,7 +37,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"data":[0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0],
"height":10,
@@ -48,8 +48,8 @@
{
"name":"openWebsite",
"type":"string",
"value":"showHideLayer.html"
},
"value":"showHideLayer.php"
},
{
"name":"openWebsiteAllowApi",
"type":"bool",
@@ -60,7 +60,7 @@
"width":10,
"x":0,
"y":0
},
},
{
"draworder":"topdown",
"id":5,
@@ -117,7 +117,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":1,
"properties":[
@@ -126,7 +126,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":2,
"properties":[
@@ -135,7 +135,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":3,
"properties":[
@@ -144,7 +144,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":4,
"properties":[
@@ -153,7 +153,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":8,
"properties":[
@@ -162,7 +162,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":9,
"properties":[
@@ -171,7 +171,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":10,
"properties":[
@@ -180,7 +180,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":11,
"properties":[
@@ -189,7 +189,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":12,
"properties":[
@@ -198,7 +198,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":16,
"properties":[
@@ -207,7 +207,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":17,
"properties":[
@@ -216,7 +216,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":18,
"properties":[
@@ -225,7 +225,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":19,
"properties":[
@@ -234,7 +234,7 @@
"type":"bool",
"value":true
}]
},
},
{
"id":20,
"properties":[
@@ -245,7 +245,7 @@
}]
}],
"tilewidth":32
},
},
{
"columns":8,
"firstgid":65,
@@ -263,4 +263,4 @@
"type":"map",
"version":1.4,
"width":10
}
}