Diff
Modified: trunk/LayoutTests/ChangeLog (206275 => 206276)
--- trunk/LayoutTests/ChangeLog 2016-09-22 21:22:32 UTC (rev 206275)
+++ trunk/LayoutTests/ChangeLog 2016-09-22 21:33:20 UTC (rev 206276)
@@ -1,3 +1,14 @@
+2016-09-22 Daniel Bates <[email protected]>
+
+ [XSS Auditor] Truncate data URLs at quotes
+ https://bugs.webkit.org/show_bug.cgi?id=161937
+
+ Reviewed by David Kilzer.
+
+ * http/tests/security/xssAuditor/resources/echo-property.pl:
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url4.html: Added.
+
2016-09-22 Ryan Haddad <[email protected]>
Marking imported/w3c/web-platform-tests/media-source/mediasource-duration.html as flaky on mac.
Modified: trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl (206275 => 206276)
--- trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl 2016-09-22 21:22:32 UTC (rev 206275)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl 2016-09-22 21:33:20 UTC (rev 206276)
@@ -14,5 +14,6 @@
print $cgi->param('clutter');
}
print "\">\n";
+print "<script>var y = 123;</script>";
print "</body>\n";
print "</html>\n";
Added: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt (0 => 206276)
--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt 2016-09-22 21:33:20 UTC (rev 206276)
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%3E%3Cscript%20src%3ddata:,alert(1)%3bhey%%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+
Added: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html (0 => 206276)
--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html 2016-09-22 21:33:20 UTC (rev 206276)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="" src%3ddata:,alert(1)%3bhey%%22">
+</iframe>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (206275 => 206276)
--- trunk/Source/WebCore/ChangeLog 2016-09-22 21:22:32 UTC (rev 206275)
+++ trunk/Source/WebCore/ChangeLog 2016-09-22 21:33:20 UTC (rev 206276)
@@ -1,5 +1,23 @@
2016-09-22 Daniel Bates <[email protected]>
+ [XSS Auditor] Truncate data URLs at quotes
+ https://bugs.webkit.org/show_bug.cgi?id=161937
+
+ Reviewed by David Kilzer.
+
+ Merged from Blink:
+ <https://chromium.googlesource.com/chromium/src/+/c6d6331190dd43f09459e2341c3111e796f9de12/>
+
+ Truncate a data URL at the first single or double quote character to avoid considering
+ characters that may come from the page content following an injected data URL.
+
+ Test: http/tests/security/xssAuditor/script-tag-with-source-data-url4.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::truncateForSrcLikeAttribute):
+
+2016-09-22 Daniel Bates <[email protected]>
+
Remove more ENABLE(TEXT_AUTOSIZING) code
https://bugs.webkit.org/show_bug.cgi?id=162456
Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (206275 => 206276)
--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2016-09-22 21:22:32 UTC (rev 206275)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2016-09-22 21:33:20 UTC (rev 206276)
@@ -178,11 +178,14 @@
{
// In HTTP URLs, characters following the first ?, #, or third slash may come from
// the page itself and can be merely ignored by an attacker's server when a remote
- // script or script-like resource is requested. In DATA URLS, the payload starts at
- // the first comma, and the the first /*, //, or <!-- may introduce a comment. Characters
- // following this may come from the page itself and may be ignored when the script is
- // executed. For simplicity, we don't differentiate based on URL scheme, and stop at
- // the first # or ?, the third slash, or the first slash or < once a comma is seen.
+ // script or script-like resource is requested. In data URLs, the payload starts at
+ // the first comma, and the first /*, //, or <!-- may introduce a comment. Also
+ // data URLs may use the same string literal tricks as with script content itself.
+ // In either case, content following this may come from the page and may be ignored
+ // when the script is executed.
+ // For simplicity, we don't differentiate based on URL scheme, and stop at
+ // the first # or ?, the third slash, or the first slash, <, ', or " once a comma
+ // is seen.
int slashCount = 0;
bool commaSeen = false;
for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
@@ -190,7 +193,9 @@
if (currentChar == '?'
|| currentChar == '#'
|| ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))
- || (currentChar == '<' && commaSeen)) {
+ || (currentChar == '<' && commaSeen)
+ || (currentChar == '\'' && commaSeen)
+ || (currentChar == '"' && commaSeen)) {
decodedSnippet.truncate(currentLength);
return;
}
