fix two vulnerabilities (#5094, #5095)

emweb · Jul 13, 2016 · 884dff4 · 884dff4
1 parent 4276333
commit 884dff4
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/src/eu/webtoolkit/jwt/WebRenderer.java b/src/eu/webtoolkit/jwt/WebRenderer.java
@@ -32,6 +32,7 @@ public WebRenderer(final WebSession session) {
 		this.pageId_ = 0;
 		this.expectedAckId_ = 0;
 		this.scriptId_ = 0;
+		this.ackErrs_ = 0;
 		this.linkedCssCount_ = -1;
 		this.solution_ = "";
 		this.currentStatelessSlotIsActuallyStateless_ = true;
@@ -267,12 +268,14 @@ public boolean ackUpdate(int updateId) {
 					"jsSynced(false) after ackUpdate okay").toString());
 			this.setJSSynced(false);
 			++this.expectedAckId_;
+			this.ackErrs_ = 0;
 			return true;
 		} else {
 			if (updateId < this.expectedAckId_
 					&& this.expectedAckId_ - updateId < 5
 					|| this.expectedAckId_ - 5 < updateId) {
-				return true;
+				++this.ackErrs_;
+				return this.ackErrs_ < 3;
 			} else {
 				return false;
 			}
@@ -393,6 +396,7 @@ public CookieValue(final String v, final String p, final String d,
 	private int pageId_;
 	private int expectedAckId_;
 	private int scriptId_;
+	private int ackErrs_;
 	private int linkedCssCount_;
 	private String solution_;
 	private boolean currentStatelessSlotIsActuallyStateless_;
@@ -505,6 +509,7 @@ private void serveMainscript(final WebResponse response) throws IOException {
 			}
 		} else {
 			this.expectedAckId_ = this.scriptId_ = MathUtils.randomInt();
+			this.ackErrs_ = 0;
 		}
 		WApplication app = this.session_.getApp();
 		final boolean innerHtml = true;
@@ -1376,6 +1381,7 @@ private void streamBootContent(final WebResponse response,
 						WebSession.BootstrapOption.ClearInternalPath)));
 		bootJs.setVar("SESSION_ID", this.session_.getSessionId());
 		this.expectedAckId_ = this.scriptId_ = MathUtils.randomInt();
+		this.ackErrs_ = 0;
 		bootJs.setVar("SCRIPT_ID", this.scriptId_);
 		bootJs.setVar("RANDOMSEED", MathUtils.randomInt());
 		bootJs.setVar("RELOAD_IS_NEWSESSION", conf.reloadIsNewSession());
@@ -1386,7 +1392,7 @@ private void streamBootContent(final WebResponse response,
 				.safeJsStringLiteral(this.session_.ajaxCanonicalUrl(response)));
 		bootJs.setVar("APP_CLASS", "Wt");
 		bootJs.setVar("PATH_INFO",
-				WWebWidget.jsStringLiteral(this.session_.pagePathInfo_));
+				this.safeJsStringLiteral(this.session_.pagePathInfo_));
 		bootJs.setCondition("COOKIE_CHECKS", conf.isCookieChecks());
 		bootJs.setCondition("SPLIT_SCRIPT", conf.splitScript());
 		bootJs.setCondition("HYBRID", hybrid);

diff --git a/src/eu/webtoolkit/jwt/render/Css21Lexer.java b/src/eu/webtoolkit/jwt/render/Css21Lexer.java
@@ -1,4 +1,4 @@
-// $ANTLR 3.5.2 src/eu/webtoolkit/jwt/render/Css21.g 2016-07-13 13:01:54
+// $ANTLR 3.5.2 src/eu/webtoolkit/jwt/render/Css21.g 2016-07-13 14:32:10
 package eu.webtoolkit.jwt.render;
 
 import org.antlr.runtime.*;

diff --git a/src/eu/webtoolkit/jwt/render/Css21Parser.java b/src/eu/webtoolkit/jwt/render/Css21Parser.java
@@ -1,4 +1,4 @@
-// $ANTLR 3.5.2 src/eu/webtoolkit/jwt/render/Css21.g 2016-07-13 13:01:54
+// $ANTLR 3.5.2 src/eu/webtoolkit/jwt/render/Css21.g 2016-07-13 14:32:09
 package eu.webtoolkit.jwt.render;
 
 import org.antlr.runtime.*;