From bbc97b38fd6b9272b3958e215c3febf881149111 Mon Sep 17 00:00:00 2001 From: Daniel Rossi Date: Sat, 30 Jan 2016 17:36:01 +1100 Subject: [PATCH] - #121 fix for XSS protocoless urls breaking the local url check. Disabled wildcard security for loading crossdomain plugin code for now as same domain does not need this. --- core/README.txt | 1 + core/src/actionscript/org/flowplayer/util/URLUtil.as | 3 ++- core/src/actionscript/org/flowplayer/view/PluginLoader.as | 3 ++- lib/common/src/actionscript/org/flowplayer/util/DomainUtil.as | 3 ++- 4 files changed, 7 insertions(+), 3 deletions(-) diff --git a/core/README.txt b/core/README.txt index 693228c..c376e3d 100644 --- a/core/README.txt +++ b/core/README.txt @@ -3,6 +3,7 @@ Version history: 3.2.19-dev ------ - new top level config option 'persistVolumeLevel'. Does not store the volume level and create a 'flash cookie' if set to false. +- #121 fix for XSS protocoless urls breaking the local url check. Disabled wildcard security for loading crossdomain plugin code for now as same domain does not need this. 3.2.17 ------ diff --git a/core/src/actionscript/org/flowplayer/util/URLUtil.as b/core/src/actionscript/org/flowplayer/util/URLUtil.as index 13f7542..8291933 100644 --- a/core/src/actionscript/org/flowplayer/util/URLUtil.as +++ b/core/src/actionscript/org/flowplayer/util/URLUtil.as @@ -70,7 +70,8 @@ package org.flowplayer.util { public static function isCompleteURLWithProtocol(fileName:String):Boolean { if (! fileName) return false; - return fileName.indexOf("://") > 0; + //#121 check for any protocol string including the new protocoless urls + return fileName.indexOf("//") > 0; } diff --git a/core/src/actionscript/org/flowplayer/view/PluginLoader.as b/core/src/actionscript/org/flowplayer/view/PluginLoader.as index 7a8f901..93ca102 100644 --- a/core/src/actionscript/org/flowplayer/view/PluginLoader.as +++ b/core/src/actionscript/org/flowplayer/view/PluginLoader.as @@ -104,7 +104,8 @@ import org.flowplayer.util.URLUtil; _loadListener = loadListener; _loadErrorListener = loadErrorListener; - Security.allowDomain("*"); + //#121 disable this as it possibly causes issues with crossdomain code loading. + //Security.allowDomain("*"); _providers = new Dictionary(); _allPlugins = plugins.concat([]); diff --git a/lib/common/src/actionscript/org/flowplayer/util/DomainUtil.as b/lib/common/src/actionscript/org/flowplayer/util/DomainUtil.as index ef9e569..f608c52 100644 --- a/lib/common/src/actionscript/org/flowplayer/util/DomainUtil.as +++ b/lib/common/src/actionscript/org/flowplayer/util/DomainUtil.as @@ -100,7 +100,8 @@ public class DomainUtil { if (url.indexOf("file://") == 0) return true; if (url.indexOf("http://127.0.0.1") == 0) return true; if (url.indexOf("http://") == 0) return false; - if (url.indexOf("/") == 0) return true; + //#121 remove this check as //domain.com which is a new protocoless way to set urls bypasses this. + //if (url.indexOf("/") == 0) return true; return false; }