Title: [111808] trunk
- Revision
- 111808
- Author
- [email protected]
- Date
- 2012-03-22 19:13:24 -0700 (Thu, 22 Mar 2012)
Log Message
XSS Auditor bypass via script tag src="" URLS.
https://bugs.webkit.org/show_bug.cgi?id=81948
Reviewed by Adam Barth.
Source/WebCore:
This change fixes an XSSAuditor bypass wherby a script with a data: URL src
attribute could evade detection by using characters from the page to create
a snippet for matching not found in the URL's reflected vector. This change
terminates the snippet for matching earlier in these cases.
Test: http/tests/security/xssAuditor/script-tag-with-source-data-url2.html
* html/parser/XSSAuditor.cpp:
(WebCore::XSSAuditor::decodedSnippetForAttribute):
LayoutTests:
Add a test that data: URLs can't bypass xssauditor with trailing comments.
* http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-source-data-url2.html: Added.
Modified Paths
Added Paths
Diff
Modified: trunk/LayoutTests/ChangeLog (111807 => 111808)
--- trunk/LayoutTests/ChangeLog 2012-03-23 02:08:17 UTC (rev 111807)
+++ trunk/LayoutTests/ChangeLog 2012-03-23 02:13:24 UTC (rev 111808)
@@ -1,3 +1,15 @@
+2012-03-22 Tom Sepez <[email protected]>
+
+ XSS Auditor bypass via script tag src="" URLS.
+ https://bugs.webkit.org/show_bug.cgi?id=81948
+
+ Reviewed by Adam Barth.
+
+ Add a test that data: URLs can't bypass xssauditor with trailing comments.
+
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url2.html: Added.
+
2012-03-22 Dave Tharp <[email protected]>
QT 4.8 soft hyphen bug has no failing test case
Added: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt (0 => 111808)
--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt 2012-03-23 02:13:24 UTC (rev 111808)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
+
+
Added: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2.html (0 => 111808)
--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2.html (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url2.html 2012-03-23 02:13:24 UTC (rev 111808)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src=""
+</iframe>
+</body>
+</html>
Modified: trunk/Source/WebCore/ChangeLog (111807 => 111808)
--- trunk/Source/WebCore/ChangeLog 2012-03-23 02:08:17 UTC (rev 111807)
+++ trunk/Source/WebCore/ChangeLog 2012-03-23 02:13:24 UTC (rev 111808)
@@ -1,3 +1,20 @@
+2012-03-22 Tom Sepez <[email protected]>
+
+ XSS Auditor bypass via script tag src="" URLS.
+ https://bugs.webkit.org/show_bug.cgi?id=81948
+
+ Reviewed by Adam Barth.
+
+ This change fixes an XSSAuditor bypass wherby a script with a data: URL src
+ attribute could evade detection by using characters from the page to create
+ a snippet for matching not found in the URL's reflected vector. This change
+ terminates the snippet for matching earlier in these cases.
+
+ Test: http/tests/security/xssAuditor/script-tag-with-source-data-url2.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::decodedSnippetForAttribute):
+
2012-03-22 Dana Jansens <[email protected]>
[chromium] Incorrect assert on animating opacity for a surface
Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (111807 => 111808)
--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2012-03-23 02:08:17 UTC (rev 111807)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp 2012-03-23 02:13:24 UTC (rev 111808)
@@ -516,17 +516,23 @@
String decodedSnippet = fullyDecodeString(m_parser->sourceForToken(token).substring(start, end - start), m_parser->document()->decoder());
decodedSnippet.truncate(kMaximumFragmentLengthTarget);
if (treatment == SrcLikeAttribute) {
- int slashCount;
- size_t currentLength;
- // Characters following the first ?, #, or third slash may come from
- // the page itself and can be merely ignored by an attacker's server
- // when a remote script or script-like resource is requested.
- for (slashCount = 0, currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
- if (decodedSnippet[currentLength] == '?' || decodedSnippet[currentLength] == '#'
- || ((decodedSnippet[currentLength] == '/' || decodedSnippet[currentLength] == '\\') && ++slashCount > 2)) {
+ int slashCount = 0;
+ bool commaSeen = false;
+ // In HTTP URLs, characters following the first ?, #, or third slash may come from
+ // the page itself and can be merely ignored by an attacker's server when a remote
+ // script or script-like resource is requested. In DATA URLS, the payload starts at
+ // the first comma, and the the first /* or // may introduce a comment. Characters
+ // following this may come from the page itself and may be ignored when the script is
+ // executed. For simplicity, we don't differentiate based on URL scheme, and stop at
+ // the first # or ?, the third slash, or the first slash once a comma is seen.
+ for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
+ UChar currentChar = decodedSnippet[currentLength];
+ if (currentChar == '?' || currentChar == '#' || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))) {
decodedSnippet.truncate(currentLength);
break;
}
+ if (currentChar == ',')
+ commaSeen = true;
}
}
return decodedSnippet;
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes
