0

我正在使用供应商创建的电子学习课程(我们不再与之打交道),当我通过公司的安全软件(HP Fortify Scan)上传文件时,我遇到了多个错误。我已经纠正了所有错误,期望一个。错误在 dojo.js 文件中,它与未验证的url变量有关。我敢肯定这是一个简单的修复,但有人可以解释是什么让这个未经验证?我怎样才能验证这个url变量?

这是带有代码的错误消息的屏幕截图(我将行号放在注释中):

强化扫描屏幕截图

代码:

function xhr(url, options, returnDeferred){
    var response = util.parseArgs(
        url,
        util.deepCreate(defaultOptions, options),
        has('native-formdata') && options && options.data && options.data instanceof FormData
    );
    // THIS IS LINE 11540
    url = response.url; 
    options = response.options;

    var remover,
        last = function(){
            remover && remover();
        };

    //Make the Deferred object for this xhr request.
    var dfd = util.deferred(
        response,
        cancel,
        isValid,
        isReady,
        handleResponse,
        last
    );
    var _xhr = response.xhr = xhr._create();

    if(!_xhr){
        // If XHR factory somehow returns nothings,
        // cancel the deferred.
        dfd.cancel(new RequestError('XHR was not created'));
        return returnDeferred ? dfd : dfd.promise;
    }

    response.getHeader = function(headerName){
        return this.xhr.getResponseHeader(headerName);
    };

    if(addListeners){
        remover = addListeners(_xhr, dfd, response);
    }

    var data = options.data,
        async = !options.sync,
        method = options.method;

    try{
        // IE6 won't let you call apply() on the native function.
        // THIS IS LINE 11580
        _xhr.open(method, url, async, options.user || undefined, options.password || undefined);

        if(options.withCredentials){
            _xhr.withCredentials = options.withCredentials;
        }

        var headers = options.headers,
            contentType;
        if(headers){
            for(var hdr in headers){
                if(hdr.toLowerCase() === 'content-type'){
                    contentType = headers[hdr];
                }else if(headers[hdr]){
                    //Only add header if it has a value. This allows for instance, skipping
                    //insertion of X-Requested-With by specifying empty value.
                    _xhr.setRequestHeader(hdr, headers[hdr]);
                }
            }
        }

        if(contentType && contentType !== false){
            _xhr.setRequestHeader('Content-Type', contentType);
        }
        if(!headers || !('X-Requested-With' in headers)){
            _xhr.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
        }

        if(util.notify){
            util.notify.emit('send', response, dfd.promise.cancel);
        }
        _xhr.send(data);
    }catch(e){
        dfd.reject(e);
    }

    watch(dfd);
    _xhr = null;

    return returnDeferred ? dfd : dfd.promise;
}

提前致谢,

麦克风

4

1 回答 1

0

我想说这不一定是错误,只是 HP Fortify Scan 指出了 dojo/request/xhr.js 中的一段代码,可能需要您注意,以防您的服务器代码没有准备好这样的攻击...您可以在调用 xhr() 的应用程序(可能在您的商店中)的更高级别代码中验证 url,但不确定这是否会满足 HP Fortify。

于 2015-01-12T01:07:07.893 回答