Title: [206276] trunk
Revision
206276
Author
dba...@webkit.org
Date
2016-09-22 14:33:20 -0700 (Thu, 22 Sep 2016)

Log Message

[XSS Auditor] Truncate data URLs at quotes
https://bugs.webkit.org/show_bug.cgi?id=161937

Reviewed by David Kilzer.

Source/WebCore:

Merged from Blink:
<https://chromium.googlesource.com/chromium/src/+/c6d6331190dd43f09459e2341c3111e796f9de12/>

Truncate a data URL at the first single or double quote character to avoid considering
characters that may come from the page content following an injected data URL.

Test: http/tests/security/xssAuditor/script-tag-with-source-data-url4.html

* html/parser/XSSAuditor.cpp:
(WebCore::truncateForSrcLikeAttribute):

LayoutTests:

* http/tests/security/xssAuditor/resources/echo-property.pl:
* http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-source-data-url4.html: Added.

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (206275 => 206276)


--- trunk/LayoutTests/ChangeLog	2016-09-22 21:22:32 UTC (rev 206275)
+++ trunk/LayoutTests/ChangeLog	2016-09-22 21:33:20 UTC (rev 206276)
@@ -1,3 +1,14 @@
+2016-09-22  Daniel Bates  <daba...@apple.com>
+
+        [XSS Auditor] Truncate data URLs at quotes
+        https://bugs.webkit.org/show_bug.cgi?id=161937
+
+        Reviewed by David Kilzer.
+
+        * http/tests/security/xssAuditor/resources/echo-property.pl:
+        * http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-with-source-data-url4.html: Added.
+
 2016-09-22  Ryan Haddad  <ryanhad...@apple.com>
 
         Marking imported/w3c/web-platform-tests/media-source/mediasource-duration.html as flaky on mac.

Modified: trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl (206275 => 206276)


--- trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl	2016-09-22 21:22:32 UTC (rev 206275)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl	2016-09-22 21:33:20 UTC (rev 206276)
@@ -14,5 +14,6 @@
     print $cgi->param('clutter');
 }
 print "\">\n";
+print "<script>var y = 123;</script>";
 print "</body>\n";
 print "</html>\n";

Added: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt (0 => 206276)


--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt	2016-09-22 21:33:20 UTC (rev 206276)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%3E%3Cscript%20src%3ddata:,alert(1)%3bhey%%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+

Added: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html (0 => 206276)


--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html	2016-09-22 21:33:20 UTC (rev 206276)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+  testRunner.dumpAsText();
+  testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="" src%3ddata:,alert(1)%3bhey%%22">
+</iframe>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (206275 => 206276)


--- trunk/Source/WebCore/ChangeLog	2016-09-22 21:22:32 UTC (rev 206275)
+++ trunk/Source/WebCore/ChangeLog	2016-09-22 21:33:20 UTC (rev 206276)
@@ -1,5 +1,23 @@
 2016-09-22  Daniel Bates  <daba...@apple.com>
 
+        [XSS Auditor] Truncate data URLs at quotes
+        https://bugs.webkit.org/show_bug.cgi?id=161937
+
+        Reviewed by David Kilzer.
+
+        Merged from Blink: 
+        <https://chromium.googlesource.com/chromium/src/+/c6d6331190dd43f09459e2341c3111e796f9de12/>
+
+        Truncate a data URL at the first single or double quote character to avoid considering
+        characters that may come from the page content following an injected data URL.
+
+        Test: http/tests/security/xssAuditor/script-tag-with-source-data-url4.html
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::truncateForSrcLikeAttribute):
+
+2016-09-22  Daniel Bates  <daba...@apple.com>
+
         Remove more ENABLE(TEXT_AUTOSIZING) code
         https://bugs.webkit.org/show_bug.cgi?id=162456
 

Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (206275 => 206276)


--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp	2016-09-22 21:22:32 UTC (rev 206275)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp	2016-09-22 21:33:20 UTC (rev 206276)
@@ -178,11 +178,14 @@
 {
     // In HTTP URLs, characters following the first ?, #, or third slash may come from
     // the page itself and can be merely ignored by an attacker's server when a remote
-    // script or script-like resource is requested. In DATA URLS, the payload starts at
-    // the first comma, and the the first /*, //, or <!-- may introduce a comment. Characters
-    // following this may come from the page itself and may be ignored when the script is
-    // executed. For simplicity, we don't differentiate based on URL scheme, and stop at
-    // the first # or ?, the third slash, or the first slash or < once a comma is seen.
+    // script or script-like resource is requested. In data URLs, the payload starts at
+    // the first comma, and the first /*, //, or <!-- may introduce a comment. Also
+    // data URLs may use the same string literal tricks as with script content itself.
+    // In either case, content following this may come from the page and may be ignored
+    // when the script is executed.
+    // For simplicity, we don't differentiate based on URL scheme, and stop at
+    // the first # or ?, the third slash, or the first slash, <, ', or " once a comma
+    // is seen.
     int slashCount = 0;
     bool commaSeen = false;
     for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
@@ -190,7 +193,9 @@
         if (currentChar == '?'
             || currentChar == '#'
             || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))
-            || (currentChar == '<' && commaSeen)) {
+            || (currentChar == '<' && commaSeen)
+            || (currentChar == '\'' && commaSeen)
+            || (currentChar == '"' && commaSeen)) {
             decodedSnippet.truncate(currentLength);
             return;
         }
_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
https://lists.webkit.org/mailman/listinfo/webkit-changes

Reply via email to