[Gnash-commit] [bug #50677] Gnash-libgnashplugin communication lacks pro

gnash-commit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Gnash-commit] [bug #50677] Gnash-libgnashplugin communication lacks pro

From:	Nutchanon Wetchasit
Subject:	[Gnash-commit] [bug #50677] Gnash-libgnashplugin communication lacks proper escape mechanism
Date:	Thu, 30 Mar 2017 03:50:26 -0400 (EDT)
User-agent:	Mozilla/5.0 (X11; Linux i686; rv:25.8) Gecko/20151123 Firefox/31.9 PaleMoon/25.8.1

URL:
  <http://savannah.gnu.org/bugs/?50677>

                 Summary: Gnash-libgnashplugin communication lacks proper
escape mechanism
                 Project: Gnash - The GNU Flash player
            Submitted by: nachanon
            Submitted on: Thu 30 Mar 2017 02:50:25 PM ICT
                Category: plugin
                Severity: 3 - Normal
                 Release: master
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any

    _______________________________________________________

Details:

This is a spin-off from bug #46944 (MovieClip-based FSCommand issue).

While I was writing tests for Gnash's FSCommand implementation, I noticed that
when Gnash is running as a plug-in, FSCommand call made by the SWF with string
parameter full of symbols (especially '<' and '>') will not reach JavaScript
FSCommand handler, while ones with normal string parameter will.

Upon inspection, I found that Gnash communication module *does not escape '<'
and '>' in string content of the message*
<https://git.savannah.gnu.org/cgit/gnash.git/tree/libcore/ExternalInterface.cpp?id=8a11e60585db4ed6bc4eafadfbd9b3123ced45d9#n114>.
When '<' is present, the message structure became ambiguous and causes problem
with receiver/plugin-side's parser, resulting in discarded message (thus the
missing FSCommand call).

This problem is not specific to FSCommand: generic `getURL()` instruction,
built-in plugin function like `GetVariable()`, and scripting API like
`ExternalInterface` are very likely to be affected too; though these will need
additional testing to confirm.

Current automated tests tracking this issue (in FSCommand usage) are:

* hostcmd_testrunner_v*: (1)
<https://git.savannah.gnu.org/cgit/gnash.git/tree/testsuite/misc-ming.all/hostcmd_testrunner.sh?id=8a11e60585db4ed6bc4eafadfbd9b3123ced45d9#n210>
(2)
<https://git.savannah.gnu.org/cgit/gnash.git/tree/testsuite/misc-ming.all/hostcmd_testrunner.sh?id=8a11e60585db4ed6bc4eafadfbd9b3123ced45d9#n289>
* hostcmd_htmltest_v*.html: (1)
<https://git.savannah.gnu.org/cgit/gnash.git/tree/testsuite/misc-ming.all/hostcmd_htmltest.sh?id=8a11e60585db4ed6bc4eafadfbd9b3123ced45d9#n238>
(2)
<https://git.savannah.gnu.org/cgit/gnash.git/tree/testsuite/misc-ming.all/hostcmd_htmltest.sh?id=8a11e60585db4ed6bc4eafadfbd9b3123ced45d9#n305>

Gnash: 0.8.11dev (git 8a11e60 8-Mar-2017)
Browser: Iceweasel 10.0.12 (debian)
System: Debian GNU/Linux 7.0 Wheezy i386





    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/bugs/?50677>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Gnash-commit] [bug #50677] Gnash-libgnashplugin communication lacks proper escape mechanism, Nutchanon Wetchasit <=

Prev by Date: [Gnash-commit] [bug #50623] libgnashplugin freezes when SWF calls JavaScript function with non-English string parameter
Next by Date: [Gnash-commit] [bug #46944] Gnash does not recognize "fscommand:" URI scheme in `MovieClip.getURL()`
Previous by thread: [Gnash-commit] [bug #50623] libgnashplugin freezes when SWF calls JavaScript function with non-English string parameter
Next by thread: [Gnash-commit] [bug #46944] Gnash does not recognize "fscommand:" URI scheme in `MovieClip.getURL()`
Index(es):
- Date
- Thread