Title: [97036] trunk/Tools
- Revision
- 97036
- Author
- [email protected]
- Date
- 2011-10-09 19:29:02 -0700 (Sun, 09 Oct 2011)
Log Message
Remove "near miss" XSS vulnerabilities in garden-o-matic
https://bugs.webkit.org/show_bug.cgi?id=69708
Reviewed by David Levin.
Collin Jackson did a security audit of garden-o-matic. He hasn't found
any actual vulnerabilities yet, but he did identify a couple "near
misses" where a slight change in garden-o-matic could lead to a
vulnerability. This patch removes those potential issues.
* BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/Bugzilla.js:
* BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/ui.js:
Modified Paths
Diff
Modified: trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/Bugzilla.js (97035 => 97036)
--- trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/Bugzilla.js 2011-10-10 01:15:21 UTC (rev 97035)
+++ trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/Bugzilla.js 2011-10-10 02:29:02 UTC (rev 97036)
@@ -34,6 +34,19 @@
REOPENED: true,
};
+function createDetachedFragment(htmlFragment)
+{
+ // Step 1: Create a detached Document to perform the parsing.
+ var detachedDocument = document.implementation.createHTMLDocument();
+
+ // Step 2: Create a detached Element associated with the detached Document.
+ var container = detachedDocument.createElement('div');
+
+ // Step 3: Pull the trigger.
+ container.innerHTML = htmlFragment;
+ return container;
+}
+
var g_searchCache = new base.AsynchronousCache(function(query, callback) {
var url = "" + '/buglist.cgi?' + $.param({
ctype: 'rss',
@@ -44,10 +57,9 @@
net.get(url, function(responseXML) {
var entries = responseXML.getElementsByTagName('entry');
var results = Array.prototype.map.call(entries, function(entry) {
- var container = document.createElement('div');
- // FIXME: Is this an XSS risk?
- container.innerHTML = entry.getElementsByTagName('summary')[0].textContent;
- var statusRow = container.querySelector('tr.bz_feed_bug_status');
+ var htmlFragment = entry.getElementsByTagName('summary')[0].textContent;
+ var fragment = createDetachedFragment(htmlFragment);
+ var statusRow = fragment.querySelector('tr.bz_feed_bug_status');
return {
title: entry.getElementsByTagName('title')[0].textContent,
url: entry.getElementsByTagName('id')[0].textContent,
Modified: trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/ui.js (97035 => 97036)
--- trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/ui.js 2011-10-10 01:15:21 UTC (rev 97035)
+++ trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/ui.js 2011-10-10 02:29:02 UTC (rev 97036)
@@ -76,7 +76,14 @@
},
tabNamed: function(tabName)
{
- return $('#' + tabName, this)[0];
+ tab = document.getElementById(tabName);
+ // We perform this sanity check below to make sure getElementById
+ // hasn't given us a node in some other unrelated part of the document.
+ // that shouldn't happen normally, but it could happen if an attacker
+ // has somehow sneakily added a node to our document.
+ if (tab.parentNode != this)
+ return null;
+ return tab;
},
summary: function()
{
@@ -130,9 +137,9 @@
document.body.appendChild(this);
$(this).dialog({
resizable: false,
- title: title,
width: $(window).width() * 0.80, // FIXME: We should have CSS do this work for us.
});
+ $('.ui-dialog-title', this.parentNode).text(title);
$(this).bind('dialogclose', function() {
$(this).detach();
}.bind(this));
Modified: trunk/Tools/ChangeLog (97035 => 97036)
--- trunk/Tools/ChangeLog 2011-10-10 01:15:21 UTC (rev 97035)
+++ trunk/Tools/ChangeLog 2011-10-10 02:29:02 UTC (rev 97036)
@@ -1,3 +1,18 @@
+2011-10-09 Adam Barth <[email protected]>
+
+ Remove "near miss" XSS vulnerabilities in garden-o-matic
+ https://bugs.webkit.org/show_bug.cgi?id=69708
+
+ Reviewed by David Levin.
+
+ Collin Jackson did a security audit of garden-o-matic. He hasn't found
+ any actual vulnerabilities yet, but he did identify a couple "near
+ misses" where a slight change in garden-o-matic could lead to a
+ vulnerability. This patch removes those potential issues.
+
+ * BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/Bugzilla.js:
+ * BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/ui.js:
+
2011-10-07 Adam Barth <[email protected]>
Add a Content-Security-Policy to garden-o-matic
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes