Dojo Security Advisory

If you have Dojo 0.4 through Dojo 1.4 installed on your site, you are strongly encouraged to read all of this message and take immediate action.

We recently had a security review done on the Dojo codebase, and some issues were discovered. Most of the issues were in test files or related PHP files, but there were some issues discovered with a few files used by modules. You are strongly encouraged to remove some files immediately to give yourself the best protection. While we are not aware of any specific exploits, we take security issues very seriously and we encourage you to take quick preventative action.

Quick instructions

Some of the files listed below may not be in your version or build of Dojo. These instructions are listed to be comprehensive across all the Dojo versions.

  1. If you use Dojo from the AOL or Google CDN, the issue is already fixed.
  2. If you have PHP enabled on your site, turn off PHP for the directories that contain dojo/dijit/dojox. Dojo only used PHP files in some tests and demos, but PHP is not required to use Dojo.
  3. Remove the following files:
  • util/doh/runner.html – a file used for tests, should not affect production/deployed code.
  • dojo/resources/iframe_history.html – in 0.4 it is just iframe_history.html in the dojo directory. This file is used by dojo.back. In Dojo 0.4, it was used by dojo.undo.browser and dojo.io.IframeIO.
  • dojox/av/resources/video.swf – used by dojox.av.FLVideo
  • dojox/av/resources/audio.swf – used by dojox.av.FLAudio

If you use one of the modules listed above, instead of deleting the files you can do one of the following:

  1. Get an updated release with the security fixes.
  2. Pull the specific files from one of the updated builds.

If you do your own custom builds, you are encouraged to also get an updated release or pull the correct files, both options listed below.

Updated Releases

New releases of the 0.4, 1.0, 1.1, 1.2, 1.3 and 1.4 branches have been done that contain all the security fixes. These builds only have the security fixes applied, and have some new defaults for some build commands.

Here are the updated builds:

To avoid accidentally copying files test files during custom builds, the build option “copyTests” now defaults to false, and “mini” defaults to true. The “mini” option removes the demos directories and now removes all PHP files regardless of location. With these new defaults, it should reduce the attack surface for the future. If you need the tests or demos in your builds, then pass “copyTests=true mini=false” as part of the build command.

Pull Specific Files

If you have your own custom, modified Dojo source and cannot update to the new builds, you can go to the directories listed in the “Updated Builds” section and grab the files you need from the version that most closely matches your version and just copy them over to your distribution.

Some branches do not have all of these files, just replace the files that exist in your distribution:

Dojo 1.0+

  • dojo/resources/iframe_history.html
  • dojox/av/FLAudio.js
  • dojox/av/FLVideo.js
  • dojox/av/resources/audio.swf
  • dojox/av/resources/video.swf
  • util/buildscripts/jslib/build.js
  • util/buildscripts/jslib/buildUtil.js
  • util/doh/runner.html

Dojo 0.4:

  • iframe_history.html

In addition to grabbing the files listed above, be sure to delete any .php files in the dojo/dijit/dojox directories, if PHP is enabled on your server.

Description of Issues

The main issues that are being fixed in this update:

  • Some PHP files did not properly escape input.
  • Some files could operate like “open redirects”. An bad actor could form an URL that looks like it came from a trusted site, but the user would be redirected or load content from the bad actor’s site.
  • A file exposed a more serious cross-site scripting vulnerability with the possibility of executing code on the domain where the file exists.
  • The Dojo build process defaulted to copying over tests and demos, which are normally not needed and just increased the number of files that could be targets of attacks.

Actions to Prevent Further Issues

We take security issues very seriously. We are fortunate that the issues above were brought to us via a security review by community members, and we have addressed the issues as quickly as we can but at the same time making sure we have comprehensive, safe fixes.

We changed the build defaults so that the area with the most issues, tests and demos, are not copied automatically in builds, reducing the surface of attack.

The non-test-related issues were in a very old file that did not get enough attention, or in newer flash modules. We do not expect to have the same issues again for those kinds of files now that we know better how to review them.

However, security requires continued vigilance. To that end we have set up new dojo-sec mailing list to handle any further security-related inquires, see next section.

Summary

Please take immediate action to make sure your site does not contain one of the files listed in the “Quick Actions” section. In most cases the files can just be safely removed, since the modules affected are usually not heavily used. However, there are new builds of all the branches with the security fixes that can be used.

If you have any questions, please feel free to ask our community

If the concern is something you want to keep private, you can contact our newly created security list: dojo-sec at mail dot dojotoolkit dot org.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.