If you have Dojo 0.4 through Dojo 1.4 installed on your site, you are strongly encouraged to read all of this message and take immediate action.
We recently had a security review done on the Dojo codebase, and some issues were discovered. Most of the issues were in test files or related PHP files, but there were some issues discovered with a few files used by modules. You are strongly encouraged to remove some files immediately to give yourself the best protection. While we are not aware of any specific exploits, we take security issues very seriously and we encourage you to take quick preventative action.
Some of the files listed below may not be in your version or build of Dojo. These instructions are listed to be comprehensive across all the Dojo versions.
- If you use Dojo from the AOL or Google CDN, the issue is already fixed.
- If you have PHP enabled on your site, turn off PHP for the directories that contain dojo/dijit/dojox. Dojo only used PHP files in some tests and demos, but PHP is not required to use Dojo.
- Remove the following files:
- util/doh/runner.html – a file used for tests, should not affect production/deployed code.
- dojo/resources/iframe_history.html – in 0.4 it is just iframe_history.html in the dojo directory. This file is used by dojo.back. In Dojo 0.4, it was used by dojo.undo.browser and dojo.io.IframeIO.
- dojox/av/resources/video.swf – used by dojox.av.FLVideo
- dojox/av/resources/audio.swf – used by dojox.av.FLAudio
If you use one of the modules listed above, instead of deleting the files you can do one of the following:
- Get an updated release with the security fixes.
- Pull the specific files from one of the updated builds.
If you do your own custom builds, you are encouraged to also get an updated release or pull the correct files, both options listed below.
New releases of the 0.4, 1.0, 1.1, 1.2, 1.3 and 1.4 branches have been done that contain all the security fixes. These builds only have the security fixes applied, and have some new defaults for some build commands.
Here are the updated builds:
To avoid accidentally copying files test files during custom builds, the build option “copyTests” now defaults to false, and “mini” defaults to true. The “mini” option removes the demos directories and now removes all PHP files regardless of location. With these new defaults, it should reduce the attack surface for the future. If you need the tests or demos in your builds, then pass “copyTests=true mini=false” as part of the build command.
Pull Specific Files
If you have your own custom, modified Dojo source and cannot update to the new builds, you can go to the directories listed in the “Updated Builds” section and grab the files you need from the version that most closely matches your version and just copy them over to your distribution.
Some branches do not have all of these files, just replace the files that exist in your distribution:
In addition to grabbing the files listed above, be sure to delete any .php files in the dojo/dijit/dojox directories, if PHP is enabled on your server.
Description of Issues
The main issues that are being fixed in this update:
- Some PHP files did not properly escape input.
- Some files could operate like “open redirects”. An bad actor could form an URL that looks like it came from a trusted site, but the user would be redirected or load content from the bad actor’s site.
- A file exposed a more serious cross-site scripting vulnerability with the possibility of executing code on the domain where the file exists.
- The Dojo build process defaulted to copying over tests and demos, which are normally not needed and just increased the number of files that could be targets of attacks.
Actions to Prevent Further Issues
We take security issues very seriously. We are fortunate that the issues above were brought to us via a security review by community members, and we have addressed the issues as quickly as we can but at the same time making sure we have comprehensive, safe fixes.
We changed the build defaults so that the area with the most issues, tests and demos, are not copied automatically in builds, reducing the surface of attack.
The non-test-related issues were in a very old file that did not get enough attention, or in newer flash modules. We do not expect to have the same issues again for those kinds of files now that we know better how to review them.
However, security requires continued vigilance. To that end we have set up new dojo-sec mailing list to handle any further security-related inquires, see next section.
Please take immediate action to make sure your site does not contain one of the files listed in the “Quick Actions” section. In most cases the files can just be safely removed, since the modules affected are usually not heavily used. However, there are new builds of all the branches with the security fixes that can be used.
If you have any questions, please feel free to ask our community
If the concern is something you want to keep private, you can contact our newly created security list: dojo-sec at mail dot dojotoolkit dot org.