Path: csiph.com!fu-berlin.de!uni-berlin.de!not-for-mail
From: Chris Angelico <rosuav@gmail.com>
Newsgroups: comp.lang.python
Subject: Re: Speaking of Javascript [was Re: Everything good about Python except GUI IDE?]
Date: Thu, 3 Mar 2016 04:46:48 +1100
Lines: 21
Message-ID: <mailman.107.1456940817.20602.python-list@python.org>
References: <64a6599c-fae1-469d-bcee-875165b3cc7d@googlegroups.com> <mailman.172.1456574862.20994.python-list@python.org> <56d294f8$0$1604$c3e8da3$5496439d@news.astraweb.com> <naupig$upg$1@dont-email.me> <234a398e-1b0f-467b-a8cb-d7ca748f8062@googlegroups.com> <naur90$58b$1@dont-email.me> <84922f24-3e00-4a23-b26d-5e6c0d8e7e04@googlegroups.com> <87y4a5c58i.fsf@elektro.pacujo.net> <e805ec03-82dd-40bc-9a44-344620d435a9@googlegroups.com> <87twksdg9c.fsf@elektro.pacujo.net> <ioi7dbtldo5fej0i41gugcv0pa9pj04j58@4ax.com> <87d1rgca58.fsf@elektro.pacujo.net> <c0c563c0-1caf-4d3b-93f8-c62db864b5a3@googlegroups.com> <87h9grorcb.fsf@elektro.pacujo.net> <mailman.4.1456734787.20602.python-list@python.org> <56d5c6fa$0$1595$c3e8da3$5496439d@news.astraweb.com> <mailman.75.1456855654.20602.python-list@python.org> <56d64e83$0$1588$c3e8da3$5496439d@news.astraweb.com> <56d71d5f$0$1619$c3e8da3$5496439d@news.astraweb.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Trace: news.uni-berlin.de owEClBhjpzwg1NC6hJQ5YwEiv76rcdn1bIlH3KfMi6bQ==
Return-Path: <rosuav@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.028
X-Spam-Evidence: '*H*': 0.94; '*S*': 0.00; 'received:209.85.223': 0.03; 'subject:Python': 0.05; 'cc:addr:python-list': 0.09; 'url:blog': 0.10; 'subject: \n ': 0.15; 'thu,': 0.15; '2016': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'received:io': 0.16; 'received:psf.io': 0.16; 'subject:GUI': 0.16; 'subject:Javascript': 0.16; 'yay': 0.16; 'wrote:': 0.16; 'cc:2**0': 0.20; 'cc:addr:python.org': 0.20; 'fix': 0.21; 'controlled': 0.22; 'url:02': 0.22; 'am,': 0.23; 'header:In-Reply- To:1': 0.24; 'message-id:@mail.gmail.com': 0.27; 'declared': 0.29; 'subject: [': 0.29; "i'm": 0.30; "d'aprano": 0.33; 'steven': 0.33; 'gets': 0.35; 'received:google.com': 0.35; "isn't": 0.35; 'but': 0.36; 'there': 0.36; 'received:209.85': 0.36; 'subject:: ': 0.37; 'say': 0.37; 'received:209': 0.38; 'save': 0.60; 'real': 0.62; 'listings': 0.63; 'more': 0.63; 'here:': 0.63; 'mar': 0.65; '"oh,': 0.84; 'chrisa': 0.84; 'ebay': 0.84; 'listings,': 0.84; 'subject:good': 0.84; 'url:2016': 0.84; 'vulnerable': 0.84; 'to:none': 0.91
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc; bh=w78LUibBDcMaG/cMC5A5x5VsLM2vFE2hl0dcptDve1Q=; b=cxNjUXeyCOdCwh0bkLqihixXkElKE6uYnikL8Trbptp9h0BmxI+OpWocZfQqOK63QF 0B5xEQR3PPv/UY3V696i+0PusoDG6sSRCj0HQ69e5VPoWG278lz8dgFxAbykrrDWZgxV qIaLLfMPmgULnIdAQQOCQndlJXs9W1kpZLwXWjZM9PmficfHtZ6LwOdfu7g5irnG38aQ u5uMFG7JGpZpM3HNqleq0jp4yeQ51+uFSoDTGuQxdvm6ooxvGvqoIMJolsJqCjZNSVnP sMkL+GU11BvCQDbA/BMoRWadtlIFBwFylepYYzB5lfOzGifkFrIqpfzDSQF75UBHcPNe romg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:cc; bh=w78LUibBDcMaG/cMC5A5x5VsLM2vFE2hl0dcptDve1Q=; b=bW0sY9SXur3aMwuU3Fs+qzRcilYRa0lJ1aYXqUAvujKRCXPzQpQefY/Zabaq3SiZZ4 tg19RwhUWUhZs+B5O/myABOyPmNTAWD+rkCM2uABO4tioRtBBjF0qwwexXnAXHToVWfs NC4PcExRvH36Xh8F4rCEP8Kl6ZiNitaBL5FEJ1VfFpvGsaL5rEnDcDEVjSmtiGh1rZul G4Ih3xoI8983IvL21xN07CzgysgPZUbzvhVnOddG3E4RD7VtAdqCkOIHAE1G6jEOQKGL Mt2n63XCKloHe07Pa1RD5PkHVEC07b331n6xueK3IhXQosVbNJ9VX/EMF5NUXRn8gvwp XBVQ==
X-Gm-Message-State: AG10YOQwwbOA6AwnI660y+MSiop21T3hRjiFF7ZwnMdyM0CJdGEwHMuLsjSA6tQ/EKJWGVrq2UYf30LSaFdyAw==
X-Received: by 10.107.158.20 with SMTP id h20mr31008337ioe.31.1456940808268; Wed, 02 Mar 2016 09:46:48 -0800 (PST)
In-Reply-To: <56d71d5f$0$1619$c3e8da3$5496439d@news.astraweb.com>
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Xref: csiph.com comp.lang.python:103888

On Thu, Mar 3, 2016 at 4:05 AM, Steven D'Aprano <steve@pearwood.info> wrote:
> Speaking of Javascript exploits:
>
> http://thedailywtf.com/articles/bidding-on-security
>
>
> This is a real exploit, and Ebay have refused to fix it. Yay them!
>
> More here:
>
> http://blog.checkpoint.com/2016/02/02/ebay-platform-exposed-to-severe-vulnerability/

To be fair, this isn't a JS exploit; it's a trusting-of-trust issue -
eBay has declared that you can trust them to sanitize their sellers'
listings, and so you trust eBay, but this exploit gets past the
filter. You're no more vulnerable looking at one of those listings
than you would be going to a web site entirely controlled by the
attacker, save that (particularly on mobile devices) there are a lot
of people out there who'll say "Oh, it'e eBay, I'm safe".

ChrisA