vimperator 1.1 with security fix

4 files changed, 15 insertions, 4 deletions

diff --git a/Makefile b/Makefile
index f17bd9d1..55c304a3 100644
--- a/Makefile
+++ b/Makefile
@@ -1,6 +1,6 @@
 #### configuration
 
-VERSION       = 1.1pre
+VERSION       = 1.1
 NAME          = vimperator
 
 include Makefile.common
diff --git a/NEWS b/NEWS
index 845fdc39..bd3c76a8 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 <pre>
 2008-05-14:
     * version 1.1
+    * IMPORTANT: security update for suggest engines
     * try to add .exe automatically to filenames on windows, so :set editor=gvim -f
       will automatically invoke gvim.exe (if it's in the path). Thanks to
       Guido Van Hoecke
diff --git a/TODO b/TODO
index ef4a0b3f..7c512805 100644
--- a/TODO
+++ b/TODO
@@ -19,7 +19,6 @@ FEATURES:
 8 middleclick in content == p, and if command line is open, paste there the clipboard buffer
 8 add more autocommands (BrowserStart, TabClose, TabOpen, TabChanged, LocationChanged, any more?)
 8 ;?<hint> should show more information
-8 there should be a listbox/combobox mode
 8 all search commands should start searching from the top of the visible viewport 
 8 :bdelete full_url<cr> and :bdelete! filter<cr> should delete all tabs matching filter or full_url
 7 adaptive learning for tab-completions
@@ -34,6 +33,8 @@ FEATURES:
   google to another page and click 10 links there, [d would take me back to the google page
   opera's fast forward does something like this
 7 make an option to disable session saving by default when you close Firefox
+6 :set [no]focuscontent
+6 :set! browser.zoom.siteSpecific  by default?
 6 jump to the next heading with ]h, next image ]i, previous textbox [t and so on
 6 :grep support (needs location list)
 6 use '' to jump between marks like vim
diff --git a/content/completion.js b/content/completion.js
index 48bcd831..2e55c333 100644
--- a/content/completion.js
+++ b/content/completion.js
@@ -35,6 +35,9 @@ liberator.Completion = function () //{{{
     // the completion substrings, used for showing the longest common match
     var substrings = [];
 
+    // import JSON module, needed for secure JSON parsing
+    Components.utils.import("resource://gre/modules/JSON.jsm");
+
     // function uses smartcase
     // list = [ [['com1', 'com2'], 'text'], [['com3', 'com4'], 'text'] ]
     function buildLongestCommonSubstring(list, filter)
@@ -207,13 +210,19 @@ liberator.Completion = function () //{{{
             	var xhr = new XMLHttpRequest();
             	xhr.open("GET", queryURI, false);
             	xhr.send(null);
-            	var results = window.eval(xhr.responseText)[1];
+                var results = JSON.fromString(xhr.responseText)[1];
                 if (!results)
                     return;
 
             	results.forEach(function (item)
             	{
-            	    completions.push([(matches ? matches[1] : "") + item, name + " suggestion"]);
+                    // make sure we receive strings, otherwise a man-in-the-middle attack
+                    // could return objects which toString() method could be called to
+                    // execute untrusted code
+                    if(typeof(item) != "string")
+                        return;
+
+            	    completions.push([(matches ? matches[1] : "") + item, engine.name + " suggestion"]);
             	});
         	});