Shindig
  1. Shindig
  2. SHINDIG-1765

Replace the unparseable cruft message "throw 1; < don't be evil' >" constant in client and server with a container config

    Details

    • Type: Improvement Improvement
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.5.0
    • Fix Version/s: 2.5.0-beta2
    • Component/s: Java
    • Labels:
      None

      Description

      The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.
      However, this "throw 1; < don't be evil' >" string has been hardcoded in:
      features/src/main/javascript/features/core.io/io.js
      java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

      It would be good to extract the message into a container config, so:

      • client and server can reuse the same message.
      • Shindig consumers can replace the message with their own.

      The new config can be added into gadgets.features.core.io in container.js, as shown below
      "gadgets.features" : {
      "core.io" : {
      // Note: $

      {Cur['gadgets.uri.proxy.path']} is an open proxy. Be careful how you expose this!
      // Note: These urls should be protocol relative (start with //)
      "proxyUrl" : "//${Cur['default.domain.unlocked.client']}${Cur['gadgets.uri.proxy.path']}

      ?container=%container%&refresh=%refresh%&url=%url%%rewriteMime%",
      "jsonProxyUrl" : "//$

      {Cur['default.domain.locked.client']}

      $

      {CONTEXT_ROOT}

      /gadgets/makeRequest",
      "unparseableCruft" : "throw 1; < don't be evil' >"
      },

      1. 1765.patch
        9 kB
        Marshall Shi

        Activity

        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/
        -----------------------------------------------------------

        Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.

        Summary
        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.
        However, this "throw 1; < don't be evil' >" string has been hardcoded in:
        features/src/main/javascript/features/core.io/io.js
        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        • client and server can reuse the same message.
        • Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.
        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs


        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing
        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- Review request for Ryan Baxter, Dan Dumont and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: client and server can reuse the same message. Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7552
        -----------------------------------------------------------

        I'm seeing JSUnit test failures with this patch. Can you make sure to update shindig-features/src/test/javascript/features/core.io/iotest.js to reflect these changes? There are a couple calls to gadgets.config.init in there that need to have the new unparseableCruft config in the json.

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js
        <https://reviews.apache.org/r/5011/#comment16719>

        Small nit: remove extra whitespace

        • Stanton

        On 2012-05-04 02:29:59, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-04 02:29:59)

        Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7552 ----------------------------------------------------------- I'm seeing JSUnit test failures with this patch. Can you make sure to update shindig-features/src/test/javascript/features/core.io/iotest.js to reflect these changes? There are a couple calls to gadgets.config.init in there that need to have the new unparseableCruft config in the json. http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js < https://reviews.apache.org/r/5011/#comment16719 > Small nit: remove extra whitespace Stanton On 2012-05-04 02:29:59, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-04 02:29:59) Review request for Ryan Baxter, Dan Dumont and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7556
        -----------------------------------------------------------

        LGTM besides the test failures Stanton pointed out.

        • Ryan

        On 2012-05-04 02:29:59, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-04 02:29:59)

        Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7556 ----------------------------------------------------------- LGTM besides the test failures Stanton pointed out. Ryan On 2012-05-04 02:29:59, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-04 02:29:59) Review request for Ryan Baxter, Dan Dumont and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        On 2012-05-04 13:55:31, Ryan Baxter wrote:

        > LGTM besides the test failures Stanton pointed out.

        Same here. Thanks for working on this!

        • Dan

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7556
        -----------------------------------------------------------

        On 2012-05-04 02:29:59, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-04 02:29:59)

        Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - On 2012-05-04 13:55:31, Ryan Baxter wrote: > LGTM besides the test failures Stanton pointed out. Same here. Thanks for working on this! Dan ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7556 ----------------------------------------------------------- On 2012-05-04 02:29:59, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-04 02:29:59) Review request for Ryan Baxter, Dan Dumont and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7562
        -----------------------------------------------------------

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js
        <https://reviews.apache.org/r/5011/#comment16746>

        We may want to add a comment here noting that this setting MUST be supplied in every container config object, as there is no default if it is not supplied.

        Either that or provide a default in code if there is nothing set here.

        • Dan

        On 2012-05-04 02:29:59, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-04 02:29:59)

        Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7562 ----------------------------------------------------------- http://svn.apache.org/repos/asf/shindig/trunk/config/container.js < https://reviews.apache.org/r/5011/#comment16746 > We may want to add a comment here noting that this setting MUST be supplied in every container config object, as there is no default if it is not supplied. Either that or provide a default in code if there is nothing set here. Dan On 2012-05-04 02:29:59, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-04 02:29:59) Review request for Ryan Baxter, Dan Dumont and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/
        -----------------------------------------------------------

        (Updated 2012-05-07 02:50:22.611528)

        Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.

        Changes
        -------

        • update iotest.js to pass the test cases
        • update container.js to tell that the unparseableCruft setting is required for every container.
        • remove a unnecessary whitespace in io.js

        Summary
        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.
        However, this "throw 1; < don't be evil' >" string has been hardcoded in:
        features/src/main/javascript/features/core.io/io.js
        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        • client and server can reuse the same message.
        • Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.
        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs (updated)


        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing
        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-07 02:50:22.611528) Review request for Ryan Baxter, Dan Dumont and Stanton Sievers. Changes ------- update iotest.js to pass the test cases update container.js to tell that the unparseableCruft setting is required for every container. remove a unnecessary whitespace in io.js Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: client and server can reuse the same message. Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs (updated) http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7634
        -----------------------------------------------------------

        I've gotten past the JSUnit failures in iotest.js, but now I'm seeing failures in MakeRequestHandlerTest.

        • Stanton

        On 2012-05-07 02:50:22, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-07 02:50:22)

        Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7634 ----------------------------------------------------------- I've gotten past the JSUnit failures in iotest.js, but now I'm seeing failures in MakeRequestHandlerTest. Stanton On 2012-05-07 02:50:22, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-07 02:50:22) Review request for Ryan Baxter, Dan Dumont and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7635
        -----------------------------------------------------------

        I'm getting test errors when running the build with this patch.

        Error report > http://pastebin.com/dgHLScGi

        • Dan

        On 2012-05-07 02:50:22, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-07 02:50:22)

        Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7635 ----------------------------------------------------------- I'm getting test errors when running the build with this patch. Error report > http://pastebin.com/dgHLScGi Dan On 2012-05-07 02:50:22, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-07 02:50:22) Review request for Ryan Baxter, Dan Dumont and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/
        -----------------------------------------------------------

        (Updated 2012-05-09 02:21:04.859023)

        Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.

        Changes
        -------

        • update the default container config json object in MakeRequestHandlerTest.java and MakeRequestServletTest.java, add the new container config unparseableCruft there.
        • use the container info from HttpRequest object, instead of GadgetContext object.

        Summary
        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.
        However, this "throw 1; < don't be evil' >" string has been hardcoded in:
        features/src/main/javascript/features/core.io/io.js
        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        • client and server can reuse the same message.
        • Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.
        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs (updated)


        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing
        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-09 02:21:04.859023) Review request for Ryan Baxter, Dan Dumont and Stanton Sievers. Changes ------- update the default container config json object in MakeRequestHandlerTest.java and MakeRequestServletTest.java, add the new container config unparseableCruft there. use the container info from HttpRequest object, instead of GadgetContext object. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: client and server can reuse the same message. Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs (updated) http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7730
        -----------------------------------------------------------

        Ship it!

        LGTM. Please add the shindig group for review.

        • Stanton

        On 2012-05-09 02:21:04, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-09 02:21:04)

        Review request for Ryan Baxter, Dan Dumont and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7730 ----------------------------------------------------------- Ship it! LGTM. Please add the shindig group for review. Stanton On 2012-05-09 02:21:04, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-09 02:21:04) Review request for Ryan Baxter, Dan Dumont and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/
        -----------------------------------------------------------

        (Updated 2012-05-09 11:56:00.797407)

        Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.

        Changes
        -------

        Call for review of the patch. I've done the manual test, the unit test cases also been verified.

        Summary
        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.
        However, this "throw 1; < don't be evil' >" string has been hardcoded in:
        features/src/main/javascript/features/core.io/io.js
        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        • client and server can reuse the same message.
        • Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.
        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs


        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012
        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing
        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-09 11:56:00.797407) Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers. Changes ------- Call for review of the patch. I've done the manual test, the unit test cases also been verified. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: client and server can reuse the same message. Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7768
        -----------------------------------------------------------

        Ship it!

        LGTM.

        Last call for reviewers. I plan on delivering this patch tomorrow morning if no one else has any comments.

        • Ryan

        On 2012-05-09 11:56:00, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-09 11:56:00)

        Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7768 ----------------------------------------------------------- Ship it! LGTM. Last call for reviewers. I plan on delivering this patch tomorrow morning if no one else has any comments. Ryan On 2012-05-09 11:56:00, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-09 11:56:00) Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7774
        -----------------------------------------------------------

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js
        <https://reviews.apache.org/r/5011/#comment17076>

        Can we add default value for this config to default container.js file?

        • Henry

        On 2012-05-09 11:56:00, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-09 11:56:00)

        Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7774 ----------------------------------------------------------- http://svn.apache.org/repos/asf/shindig/trunk/config/container.js < https://reviews.apache.org/r/5011/#comment17076 > Can we add default value for this config to default container.js file? Henry On 2012-05-09 11:56:00, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-09 11:56:00) Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        On 2012-05-10 16:31:33, Henry Saputra wrote:

        > http://svn.apache.org/repos/asf/shindig/trunk/config/container.js, line 159

        > <https://reviews.apache.org/r/5011/diff/3/?file=107953#file107953line159>

        >

        > Can we add default value for this config to default container.js file?

        I'm not quite sure I follow, Henry.

        • Stanton

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7774
        -----------------------------------------------------------

        On 2012-05-09 11:56:00, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-09 11:56:00)

        Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - On 2012-05-10 16:31:33, Henry Saputra wrote: > http://svn.apache.org/repos/asf/shindig/trunk/config/container.js , line 159 > < https://reviews.apache.org/r/5011/diff/3/?file=107953#file107953line159 > > > Can we add default value for this config to default container.js file? I'm not quite sure I follow, Henry. Stanton ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7774 ----------------------------------------------------------- On 2012-05-09 11:56:00, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-09 11:56:00) Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        On 2012-05-10 16:31:33, Henry Saputra wrote:

        > http://svn.apache.org/repos/asf/shindig/trunk/config/container.js, line 159

        > <https://reviews.apache.org/r/5011/diff/3/?file=107953#file107953line159>

        >

        > Can we add default value for this config to default container.js file?

        Stanton Sievers wrote:

        I'm not quite sure I follow, Henry.

        This is what happen if you start reviewing patches without getting your coffee =(

        I see you already adding new config entry in the config container.js file for the "unparseableCruft".

        I thought I saw the "unparseableCruft" is defined in the container feature js file (they have the same name I believe).

        sorry, another bad review from me =(

        • Henry

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7774
        -----------------------------------------------------------

        On 2012-05-09 11:56:00, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-09 11:56:00)

        Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - On 2012-05-10 16:31:33, Henry Saputra wrote: > http://svn.apache.org/repos/asf/shindig/trunk/config/container.js , line 159 > < https://reviews.apache.org/r/5011/diff/3/?file=107953#file107953line159 > > > Can we add default value for this config to default container.js file? Stanton Sievers wrote: I'm not quite sure I follow, Henry. This is what happen if you start reviewing patches without getting your coffee =( I see you already adding new config entry in the config container.js file for the "unparseableCruft". I thought I saw the "unparseableCruft" is defined in the container feature js file (they have the same name I believe). sorry, another bad review from me =( Henry ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7774 ----------------------------------------------------------- On 2012-05-09 11:56:00, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-09 11:56:00) Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7785
        -----------------------------------------------------------

        Ship it!

        +1

        • Henry

        On 2012-05-09 11:56:00, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-09 11:56:00)

        Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7785 ----------------------------------------------------------- Ship it! +1 Henry On 2012-05-09 11:56:00, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-09 11:56:00) Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        Marshall Shi added a comment -

        Patch for JIRA 1765.

        Show
        Marshall Shi added a comment - Patch for JIRA 1765.
        Hide
        jiraposter@reviews.apache.org added a comment -

        -----------------------------------------------------------
        This is an automatically generated e-mail. To reply, visit:
        https://reviews.apache.org/r/5011/#review7837
        -----------------------------------------------------------

        Ship it!

        Committed revision 1338171. Thanks!

        Please close this review as submitted.

        • Stanton

        On 2012-05-09 11:56:00, Marshall Shi wrote:

        -----------------------------------------------------------

        This is an automatically generated e-mail. To reply, visit:

        https://reviews.apache.org/r/5011/

        -----------------------------------------------------------

        (Updated 2012-05-09 11:56:00)

        Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers.

        Summary

        -------

        The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons.

        However, this "throw 1; < don't be evil' >" string has been hardcoded in:

        features/src/main/javascript/features/core.io/io.js

        java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java

        It would be good to extract the message into a container config, so:

        - client and server can reuse the same message.

        - Shindig consumers can replace the message with their own.

        This addresses bug SHINDIG-1765.

        https://issues.apache.org/jira/browse/SHINDIG-1765

        Diffs

        -----

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012

        http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012

        Diff: https://reviews.apache.org/r/5011/diff

        Testing

        -------

        Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly.

        Thanks,

        Marshall

        Show
        jiraposter@reviews.apache.org added a comment - ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/#review7837 ----------------------------------------------------------- Ship it! Committed revision 1338171. Thanks! Please close this review as submitted. Stanton On 2012-05-09 11:56:00, Marshall Shi wrote: ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/5011/ ----------------------------------------------------------- (Updated 2012-05-09 11:56:00) Review request for shindig, Ryan Baxter, Dan Dumont, and Stanton Sievers. Summary ------- The gadget io request will inject a unparseable cruft message "throw 1; < don't be evil' >" in the response content intentionally for security reasons. However, this "throw 1; < don't be evil' >" string has been hardcoded in: features/src/main/javascript/features/core.io/io.js java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java It would be good to extract the message into a container config, so: - client and server can reuse the same message. - Shindig consumers can replace the message with their own. This addresses bug SHINDIG-1765 . https://issues.apache.org/jira/browse/SHINDIG-1765 Diffs ----- http://svn.apache.org/repos/asf/shindig/trunk/features/src/main/javascript/features/core.io/io.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/features/src/test/javascript/features/core.io/iotest.js 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/MakeRequestHandler.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestHandlerTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/servlet/MakeRequestServletTest.java 1333012 http://svn.apache.org/repos/asf/shindig/trunk/config/container.js 1333012 Diff: https://reviews.apache.org/r/5011/diff Testing ------- Tested by trying a few other messages in the container.js, the replaced message show up in the response correctly. Thanks, Marshall
        Hide
        Stanton Sievers added a comment -

        Committed revision 1338171.

        Show
        Stanton Sievers added a comment - Committed revision 1338171.

          People

          • Assignee:
            Unassigned
            Reporter:
            Marshall Shi
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 4h
              4h
              Remaining:
              Remaining Estimate - 4h
              4h
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development