Title: [206277] trunk
- Revision
- 206277
- Author
- dba...@webkit.org
- Date
- 2016-09-22 14:34:12 -0700 (Thu, 22 Sep 2016)
Log Message
[XSS Auditor] HTML5 entities can bypass XSS Auditor
https://bugs.webkit.org/show_bug.cgi?id=161939
<rdar://problem/25819815>
Reviewed by David Kilzer.
Source/WebCore:
Merged from Blink:
<https://chromium.googlesource.com/chromium/src/+/04e44060dccee711842d08652bf1c622a0f43179>
Truncate a src-like URL at the first & character as it may mark the start of an HTML entity.
We will evaluate the effectiveness of this approach and adjust it if necessary if we see an
increase in false positives.
HTML5 defines more named character references, including named character references for common
punctuation characters. Characters following some punctuation characters may come from the page
itself. We truncate src-like strings at punctuation characters to avoid considering such page
content when performing a match.
Test: http/tests/security/xssAuditor/script-tag-with-source-data-url5.html
* html/parser/XSSAuditor.cpp:
(WebCore::truncateForSrcLikeAttribute):
LayoutTests:
* http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-source-data-url5.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (206276 => 206277)
--- trunk/LayoutTests/ChangeLog 2016-09-22 21:33:20 UTC (rev 206276)
+++ trunk/LayoutTests/ChangeLog 2016-09-22 21:34:12 UTC (rev 206277)
@@ -1,5 +1,16 @@
2016-09-22 Daniel Bates <daba...@apple.com>
+ [XSS Auditor] HTML5 entities can bypass XSS Auditor
+ https://bugs.webkit.org/show_bug.cgi?id=161939
+ <rdar://problem/25819815>
+
+ Reviewed by David Kilzer.
+
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url5.html: Added.
+
+2016-09-22 Daniel Bates <daba...@apple.com>
+
[XSS Auditor] Truncate data URLs at quotes
https://bugs.webkit.org/show_bug.cgi?id=161937
Added: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt (0 => 206277)
--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt 2016-09-22 21:34:12 UTC (rev 206277)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%3E%3Cscript%20src%3ddata:%26comma%3balert(1)%3b%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+
Added: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5.html (0 => 206277)
--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5.html 2016-09-22 21:34:12 UTC (rev 206277)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="" src%3ddata:%26comma%3balert(1)%3b%22">
+</iframe>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (206276 => 206277)
--- trunk/Source/WebCore/ChangeLog 2016-09-22 21:33:20 UTC (rev 206276)
+++ trunk/Source/WebCore/ChangeLog 2016-09-22 21:34:12 UTC (rev 206277)
@@ -1,5 +1,30 @@
2016-09-22 Daniel Bates <daba...@apple.com>
+ [XSS Auditor] HTML5 entities can bypass XSS Auditor
+ https://bugs.webkit.org/show_bug.cgi?id=161939
+ <rdar://problem/25819815>
+
+ Reviewed by David Kilzer.
+
+ Merged from Blink:
+ <https://chromium.googlesource.com/chromium/src/+/04e44060dccee711842d08652bf1c622a0f43179>
+
+ Truncate a src-like URL at the first & character as it may mark the start of an HTML entity.
+ We will evaluate the effectiveness of this approach and adjust it if necessary if we see an
+ increase in false positives.
+
+ HTML5 defines more named character references, including named character references for common
+ punctuation characters. Characters following some punctuation characters may come from the page
+ itself. We truncate src-like strings at punctuation characters to avoid considering such page
+ content when performing a match.
+
+ Test: http/tests/security/xssAuditor/script-tag-with-source-data-url5.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::truncateForSrcLikeAttribute):
+
+2016-09-22 Daniel Bates <daba...@apple.com>
+
[XSS Auditor] Truncate data URLs at quotes
https://bugs.webkit.org/show_bug.cgi?id=161937
Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (206276 => 206277)
--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2016-09-22 21:33:20 UTC (rev 206276)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2016-09-22 21:34:12 UTC (rev 206277)
@@ -182,8 +182,10 @@
// the first comma, and the first /*, //, or <!-- may introduce a comment. Also
// data URLs may use the same string literal tricks as with script content itself.
// In either case, content following this may come from the page and may be ignored
- // when the script is executed.
- // For simplicity, we don't differentiate based on URL scheme, and stop at
+ // when the script is executed. Also, any of these characters may now be represented
+ // by the (enlarged) set of HTML5 entities.
+ // For simplicity, we don't differentiate based on URL scheme, and stop at the first
+ // & (since it might be part of an entity for any of the subsequent punctuation)
// the first # or ?, the third slash, or the first slash, <, ', or " once a comma
// is seen.
int slashCount = 0;
@@ -190,7 +192,8 @@
bool commaSeen = false;
for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
UChar currentChar = decodedSnippet[currentLength];
- if (currentChar == '?'
+ if (currentChar == '&'
+ || currentChar == '?'
|| currentChar == '#'
|| ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))
|| (currentChar == '<' && commaSeen)
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes
