Announcement

Collapse
No announcement yet.
X
  • Filter
  • Time
Clear All
new posts

    Billion Laughs

    Existing deployments of our software are using this version of SmartGWT:
    SmartClient Version: v9.0p_2014-04-23/PowerEdition Deployment (built 2014-04-23)

    What versions of SmartGWT contain the fix for the Billion Laughs vulnerability? Is there a patch to v9.0p, or is a major version update required?

    #2
    There are a lot of ways to defend against Billion Laughs, but as far as versions of SmartGWT that automatically configure the XML parser to disable features that may be vulnerable to this exploit in some parsers, that was backported only as far as 9.1. So that's a minor version update for you, although you probably want to do a major version upgrade anyway, as you are getting fairly far behind on browser support (3.5 years for 9.0).

    Comment


      #3
      Thank you for the candid response.

      Comment


        #4
        We have backported the fix for this problem to 9.0. Please try the next nightly build, dated Feb 11 or above.

        Regards
        Isomorphic Software

        Comment


          #5
          I'm not seeing any builds newer than 2016-07-21. Where can I find it?

          Comment


            #6
            Looks like there was an issue with automated build generation for the 9.0 release. This is fixed now and a new build is available dated today (March 10) in the usual place: http://www.smartclient.com/builds.

            Comment


              #7
              Thank you! I have been able to download it.

              Comment


                #8
                In doing regression testing with this build -- SmartClient Version: v9.0p_2017-03-10/PowerEdition Deployment (built 2017-03-10) -- I have run into an issue with SelectItems that allow multi-value selection and require a value. The validation on multi-select items always returns 'false' indicating that the control fails validation. It indicates the error as 'Field is required', even though items have been selected.

                Here is sample code:

                Code:
                import java.util.LinkedHashMap;
                
                import com.smartgwt.client.util.SC;
                import com.smartgwt.client.widgets.Canvas;
                import com.smartgwt.client.widgets.IButton;
                import com.smartgwt.client.widgets.events.ClickEvent;
                import com.smartgwt.client.widgets.events.ClickHandler;
                import com.smartgwt.client.widgets.form.DynamicForm;
                import com.smartgwt.client.widgets.form.fields.SelectItem;
                import com.smartgwt.client.widgets.layout.HLayout;
                import com.smartgwt.client.widgets.layout.VLayout;
                import com.smartgwt.sample.showcase.client.PanelFactory;
                import com.smartgwt.sample.showcase.client.ShowcasePanel;
                
                public class MultiSelectItemSupport extends ShowcasePanel {
                
                    private static final String DESCRIPTION = "<p>Test of mult-select item.</p>";
                
                    public static class Factory implements PanelFactory {
                        private String id;
                
                        public ShowcasePanel create() {
                            MultiSelectItemSupport panel = new MultiSelectItemSupport();
                            id = panel.getID();
                            return panel;
                        }
                
                        public String getID() {
                            return id;
                        }
                
                        public String getDescription() {
                            return DESCRIPTION;
                        }
                    }
                
                    public Canvas getViewPanel() {
                
                        final SelectItem selectItem = new SelectItem("format", "SelectItem");
                        final SelectItem multiSelectItem = new SelectItem("multiselectformat", "MultiSelectItem");
                        
                        final LinkedHashMap<String, String> formatValueMap = new LinkedHashMap<String, String>();
                        formatValueMap.put("png", "PNG");
                        formatValueMap.put("jpeg", "JPEG");
                        selectItem.setValueMap(formatValueMap);
                        selectItem.setRequired(true);
                        
                        multiSelectItem.setValueMap(formatValueMap);
                        multiSelectItem.setRequired(true);
                        multiSelectItem.setMultiple(true);
                        
                        DynamicForm selectItemForm = new DynamicForm();
                        selectItemForm.setItems(selectItem, multiSelectItem);
                        
                        HLayout hLayout = new HLayout(10);
                        hLayout.setMembers(selectItemForm);
                
                        VLayout layout = new VLayout(10);
                
                        final IButton button = new IButton("Validate", new ClickHandler() {
                            @Override
                            public void onClick(ClickEvent event) {
                              
                                if ( selectItem.validate() ) {
                                    SC.say("Select Item Validated Successfully");
                                } else {
                                    SC.say("Select Item Failed to Validated");
                                }
                                
                                if ( multiSelectItem.validate() ) {
                                    SC.say("MultiSelect Item Validated Successfully");
                                } else {
                                    SC.say("MultiSelect Item Failed to Validated");
                                }
                            }
                        });
                        layout.setMembers(hLayout, button);
                        layout.setAutoHeight();
                
                        return layout;
                    }
                
                    public String getIntro() {
                        return DESCRIPTION;
                    }
                }

                When validation is done, the MultiSelectItem always fails with "Field is required":
                Click image for larger version

Name:	multi-select-validation.PNG
Views:	100
Size:	5.4 KB
ID:	243469

                Comment


                  #9
                  This has been resolved in SGWT 4.0p/SC 9.0p - it wasn't broken in newer branches. The fix will be in the nighly builds dated 2017-03-16 and beyond.

                  Comment


                    #10
                    Thank you. I have downloaded and verified.

                    Comment

                    Working...
                    X