Rewriting of local variable 'location' can incorrectly introduce a redirect #684
Comments
|
Thanks for sharing this. Yeah, this is a tricky edge case, luckily not something that happens very often. The Eg. The best workaround I've found is to pass the |
…object is in the arguments array and skip to avoid some false positive location assignments. partial fix for webrecorder/pywb#684
…to allow skipping assignment for local 'location's, partial fix to #684
…loc() if no arguments, part of fix for #684
* location assignment check: when assigning to location, check if same object is in the arguments array and skip to avoid some false positive location assignments, partial fix for webrecorder/pywb#684 * test: add overrides test to ensure local assign via __WB_check_loc() does not trigger redirect * bump to 3.3.5
…cation that is a local var, supported via wombat 3.3.5 - add 'let arguments;' to top-level override if used in top-level scope. partial fix related to issue in webrecorder/pywb#684
* refactor request parsing and post-to-get conversion into separate ArchiveRequest object * loading improvements: - blockloaders: httploader: support retrying fetch if 429 received, up-to 20 retries, with 2sec increased backoff for each retry - web worker loading fix: various fixes to ensure loading in separate web worker (as opposed to the main service worker) is still working. - warcloader progress update: send update on total number of records loaded, support extra message from progress update - dependency: update to warcio 1.5.0, faster WARC parsing * rewrite fix: pass 'arguments' to __WB_check_loc() to guard against location that is a local var - add 'let arguments;' to top-level override if used in top-level scope. partial fix related to issue in webrecorder/pywb#684 - dependency: update to wombat 3.3.5 * proxy origin mode support: if service worker query param 'proxyOriginMode' and root collection are set, the service worker operates in proxy mode on a single origin, without rewriting and loading from root collection. Relative URLs on current origin are rewritten to absolute urls using the 'extraConfig.proxyOrigin' setting, which must be provided for the root collection. Allows hosting a web archive on an existing URL (experimental) * bump to 2.10.0-beta.0
- use dedicated web worker for loading, remove when done - update to warcio 1.5.0 for faster loading of large WARCs - show WARC records loading for better progress update * fidelity: fix potentially invalid location redirect via wombat 3.3.5 (see: webrecorder/pywb#684) * dependencies: wabac.js 2.10.0-beta.0 (includes warcio 1.5.0, wombat 3.3.5) * bump to 1.5.6, update CHANGES
* template/custom env var fix: - ensure pywb.host_prefix, pywb.app_prefix and pywb.static_prefix set for all requests via prepare_env() - ensure X-Forwarded-Proto is accounted for in pywb.host_prefix - call prepare_env() in handle_request(), and also in rewriterapp (in case using a different front-end app). * update wombat to 3.3.6 (includes partial fix for #684) * bump version to 2.6.3
location rewrite: pass 'arguments' to rewrite func to guard against rewriting local 'location' in some cicrumstances, partial fix for #684 ci: add automated docker push on new v-* tag
CHANGES: update changes for 2.6.3 location rewrite: pass 'arguments' to rewrite func to guard against rewriting local 'location' in some circumstances, partial fix for #684 ci: add automated docker push on new v-* tag
|
This is now fixed in 2.6.3, as well as changes in wombat and also in wabac.js This way, that function can check if the location variable is a passed in argument, and in that case, no navigation happens. This is consistent with assigning to a local variable above. Of course, this only works if the location is in the immediate function, but not if it is not part of a parent closure... This can be tested with loading |
- use dedicated web worker for loading, remove when done - update to warcio 1.5.0 for faster loading of large WARCs - show WARC records loading for better progress update * fidelity: fix potentially invalid location redirect via wombat 3.3.5 (see: webrecorder/pywb#684) * dependencies: wabac.js 2.10.0-beta.0 (includes warcio 1.5.0, wombat 3.3.5) * bump to 1.5.6, update CHANGES
Expected behavior
Replaying https://anzac100.initiatives.qld.gov.au/legacy-projects/bcc/index.aspx should not redirect to https://anzac100.initiatives.qld.gov.au/.
What actually happened
The script at https://anzac100.initiatives.qld.gov.au/assets/v3/script/qgov-environment.js contains the following code (reformatted for readability):
Note that while the location parameter is a reference to window.location, the
location =assignment to it is not a redirect, it just changes the value of the local variable.Pywb however rewrites the location assignment line to this double assignment in which the .href assignment triggers a redirect to the base hostname:
We've worked around this by blocking access to the script in question as it's not needed for the site to function (it's just for analytics). I'm reporting this not because I expect we can fix it but as another interesting example we ran into in the wild that looks like it would be hard to rewrite correctly without a full JavaScript parser that can work out that 'location =' in this context is a local assignment.
Browser
The text was updated successfully, but these errors were encountered: