[webkit-changes] [108653] trunk

tsepez Thu, 23 Feb 2012 11:46:40 -0800

Title: [108653] trunk

Revision: 108653
Author: [email protected]
Date: 2012-02-23 11:46:48 -0800 (Thu, 23 Feb 2012)

Log Message

[chromium] XSS Auditor bypass via _javascript_ url and control characters
https://bugs.webkit.org/show_bug.cgi?id=79154


Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/xssAuditor/_javascript_-link-control-char2.html

* html/parser/XSSAuditor.cpp:
(WebCore):
(WebCore::XSSAuditor::eraseDangerousAttributesIfInjected):

LayoutTests:

* http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt: Added.
* http/tests/security/xssAuditor/_javascript_-link-control-char2.html: Added.
* platform/chromium/http/tests/security/xssAuditor: Added.
* platform/chromium/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/parser/XSSAuditor.cpp

Added Paths

trunk/LayoutTests/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt
trunk/LayoutTests/http/tests/security/xssAuditor/_javascript_-link-control-char2.html
trunk/LayoutTests/platform/chromium/http/tests/security/xssAuditor/
trunk/LayoutTests/platform/chromium/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt

Diff

Modified: trunk/LayoutTests/ChangeLog (108652 => 108653)


--- trunk/LayoutTests/ChangeLog	2012-02-23 19:45:38 UTC (rev 108652)
+++ trunk/LayoutTests/ChangeLog	2012-02-23 19:46:48 UTC (rev 108653)
@@ -1,3 +1,15 @@
+2012-02-23  Tom Sepez  <[email protected]>
+
+        [chromium] XSS Auditor bypass via _javascript_ url and control characters
+        https://bugs.webkit.org/show_bug.cgi?id=79154
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt: Added.
+        * http/tests/security/xssAuditor/_javascript_-link-control-char2.html: Added.
+        * platform/chromium/http/tests/security/xssAuditor: Added.
+        * platform/chromium/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt: Added.
+
 2012-02-23  Gavin Barraclough  <[email protected]>
 
         Object.isSealed / Object.isFrozen don't work for native objects

Added: trunk/LayoutTests/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt (0 => 108653)


--- trunk/LayoutTests/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt	2012-02-23 19:46:48 UTC (rev 108653)
@@ -0,0 +1 @@
+

Added: trunk/LayoutTests/http/tests/security/xssAuditor/_javascript_-link-control-char2.html (0 => 108653)


--- trunk/LayoutTests/http/tests/security/xssAuditor/_javascript_-link-control-char2.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/_javascript_-link-control-char2.html	2012-02-23 19:46:48 UTC (rev 108653)
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+    layoutTestController.dumpAsText();
+    layoutTestController.waitUntilDone();
+    layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src=''>
+</iframe>
+</body>
+</html>

Added: trunk/LayoutTests/platform/chromium/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt (0 => 108653)


--- trunk/LayoutTests/platform/chromium/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/platform/chromium/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt	2012-02-23 19:46:48 UTC (rev 108653)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
+
+

Modified: trunk/Source/WebCore/ChangeLog (108652 => 108653)


--- trunk/Source/WebCore/ChangeLog	2012-02-23 19:45:38 UTC (rev 108652)
+++ trunk/Source/WebCore/ChangeLog	2012-02-23 19:46:48 UTC (rev 108653)
@@ -1,3 +1,16 @@
+2012-02-23  Tom Sepez  <[email protected]>
+
+        [chromium] XSS Auditor bypass via _javascript_ url and control characters
+        https://bugs.webkit.org/show_bug.cgi?id=79154
+
+        Reviewed by Adam Barth.
+
+        Test: http/tests/security/xssAuditor/_javascript_-link-control-char2.html
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore):
+        (WebCore::XSSAuditor::eraseDangerousAttributesIfInjected):
+
 2012-02-23  Patrick Gansterer  <[email protected]>
 
         [CMake] Add WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS macro

Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (108652 => 108653)


--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp	2012-02-23 19:45:38 UTC (rev 108652)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp	2012-02-23 19:46:48 UTC (rev 108653)
@@ -133,23 +133,6 @@
     return equalIgnoringCase(equiv, "refresh") || equalIgnoringCase(equiv, "set-cookie");
 }
 
-static bool containsJavaScriptURL(const Vector<UChar, 32>& value)
-{
-    static const char _javascript_Scheme[] = "_javascript_:";
-    static const size_t lengthOfJavaScriptScheme = sizeof(_javascript_Scheme) - 1;
-
-    size_t i;
-    for (i = 0; i < value.size(); ++i) {
-        if (!isHTMLSpace(value[i]))
-            break;
-    }
-
-    if (value.size() - i < lengthOfJavaScriptScheme)
-        return false;
-
-    return equalIgnoringCase(value.data() + i, _javascript_Scheme, lengthOfJavaScriptScheme);
-}
-
 static inline String decode16BitUnicodeEscapeSequences(const String& string)
 {
     // Note, the encoding is ignored since each %u-escape sequence represents a UTF-16 code unit.
@@ -456,7 +439,7 @@
     for (size_t i = 0; i < token.attributes().size(); ++i) {
         const HTMLToken::Attribute& attribute = token.attributes().at(i);
         bool isInlineEventHandler = isNameOfInlineEventHandler(attribute.m_name);
-        bool valueContainsJavaScriptURL = isInlineEventHandler ? false : containsJavaScriptURL(attribute.m_value);
+        bool valueContainsJavaScriptURL = !isInlineEventHandler && protocolIsJavaScript(stripLeadingAndTrailingHTMLSpaces(String(attribute.m_value.data(), attribute.m_value.size())));
         if (!isInlineEventHandler && !valueContainsJavaScriptURL)
             continue;
         // Beware of trailing characters which came from the page itself, not the

_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

[webkit-changes] [108653] trunk

Log Message

Modified Paths

Added Paths

Diff

Modified: trunk/LayoutTests/ChangeLog (108652 => 108653)

Added: trunk/LayoutTests/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt (0 => 108653)

Added: trunk/LayoutTests/http/tests/security/xssAuditor/_javascript_-link-control-char2.html (0 => 108653)

Added: trunk/LayoutTests/platform/chromium/http/tests/security/xssAuditor/_javascript_-link-control-char2-expected.txt (0 => 108653)

Modified: trunk/Source/WebCore/ChangeLog (108652 => 108653)

Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (108652 => 108653)

Reply via email to