Java 0-day exploit question

Ask for help about NoScript, no registration needed to post
HamptonHawes01

Re: Java 0-day exploit question

Post by HamptonHawes01 »

I'm the original poster.

For months I've been allowing sites each time by clicking the noscript icon.

Today I tried to create a per site regex.

God, do I hate regex. After much gnashing of teeth - I came up with this:

Code: Select all

application/x-java\b[\w-]*@https?://([\w\.]+)?\b(example\.com|chessgames\.com|yahoo\.com|yahoo\.net)/* application/x-silverlight@https?://([\w\.]+)?\b(example\.com|microsoft\.com)/*
I'm amazed that it actually seems to work. Well, it seems to be working correctly.

My goal is to set up something that works per domain, is easy to "read" and to edit

If it's designed correctly - it should allow an entire domain to run java or silverlight.

In other words - right now it's set up...

for java - example.com, chessgames.com, yahoo.com (yahoo.net is in there just in case)

for silverlight - example.com, microsoft.com

I tested the java regex on chessgames.com and at games.yahoo.com and it worked.

I can't test the silverlight regex right now because I don't have it installed (yet).
Mozilla/5.0 (Windows NT 6.0; rv:17.0) Gecko/17.0 Firefox/17.0
HamptonHawes03

Re: Java 0-day exploit question

Post by HamptonHawes03 »

This forum didn't like the end of my post. In fact - I had to edit this post over and over to be able to get it to work.

---

Questions

= Is my regex designed correctly?

= At games.yahoo.com the tab was sometimes empty before today. I think the problem was do to ads getting blocked. Now that I have a regex - If a site named annoying.com wants to run an ad - will my regex allow it? I actually want the answer to be "Yes." That way annoying.com can do its thing and noscript (or a[d]block) will stop me from seeing the annoyance anyway.
Mozilla/5.0 (Windows NT 6.0; rv:17.0) Gecko/17.0 Firefox/17.0
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Java 0-day exploit question

Post by Thrawn »

HamptonHawes01 wrote:

Code: Select all

application/x-java\b[\w-]*@https?://([\w\.]+)?\b(example\.com|chessgames\.com|yahoo\.com|yahoo\.net)/* application/x-silverlight@https?://([\w\.]+)?\b(example\.com|microsoft\.com)/*
I'm amazed that it actually seems to work. Well, it seems to be working correctly.
Bravo! You get an A+ for effort!

I can see some ways to simplify it - like replacing ([]?)+ with []*, using only a single protocol (can you use just https, or is http necessary?), and there's no need to escape dots inside square brackets - but you've done an impressive job.

Also, I don't think that the trailing slash is necessary - I think allowedMimeRegExp just works with hostnames - but if it is, then /* is wrong; it means 'zero or more slashes'. Maybe you meant /.* (slash followed by zero or more arbitrary characters)?
My goal is to set up something that works per domain, is easy to "read" and to edit
Well, regex was not designed for its aesthetics...but you could separate out the various domains (chessgames.com, yahoo.com, etc) into separate rules, which might make it more readable, at the cost of having more duplication.
I tested the java regex on chessgames.com and at games.yahoo.com and it worked.

I can't test the silverlight regex right now because I don't have it installed (yet).
Fair enough. Are you sure that you'll want Silverlight? I don't have it installed, and never plan to.
HamptonHawes03 wrote:This forum didn't like the end of my post. In fact - I had to edit this post over and over to be able to get it to work.
Yeah, that happens a lot here, because the spam filter doesn't like links, and of course legitimate posts on this forum are full of links.

If you really need to post something, just send it to a moderator via private message, and we can post it for you (we don't get filtered).
Is my regex designed correctly?
It looks pretty good, especially for someone who hates regex.
At games.yahoo.com the tab was sometimes empty before today. I think the problem was do to ads getting blocked. Now that I have a regex - If a site named annoying.com wants to run an ad - will my regex allow it? I actually want the answer to be "Yes." That way annoying.com can do its thing and noscript (or a[d]block) will stop me from seeing the annoyance anyway.
Actually, if it were to be allowed, then NoScript would not block it - but yes, Adblock/ABP might.

But if the ad is coming from a third-party site, then the answer is "no". In my experience, though, things often still work.

OK, here's my attempt at a (slight) improvement on your regex:

Code: Select all

application/x-java\b[\w-]*@https?://[\w.]*\b(((example)|(chessgames)|(yahoo))\.com)|(yahoo\.net)/.* application/x-silverlight@https?://[\w.]*\b((example)|(microsoft)\.com)/.*
Note that I've put brackets around words when separated by |, because otherwise the | would apply only to single characters.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Linux i686; rv:15.2) Gecko/20121127 PaleMoon/15.2.1
User avatar
Thrawn
Master Bug Buster
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: Java 0-day exploit question

Post by Thrawn »

In case you ever want to include non-alphanumeric URL characters - like hyphens and underscores - I would also change \b[\w-]* to (-\w+)* and [\w.]*\b to (\w+\.)*. That way, you could easily change it to, eg, ([\w_-]+\.)*, and it would work properly. [\w._-]*\b would allow eg 'www_chessgames.com', which is actually a completely different site to chessgames.com.

This would result in:

Code: Select all

application/x-java(-\w+)*@https?://(\w+\.)*(((example)|(chessgames)|(yahoo))\.com)|(yahoo\.net)/.* application/x-silverlight@https?://(\w+\.)*((example)|(microsoft)\.com)/.*
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:17.0) Gecko/17.0 Firefox/17.0
Post Reply