[XSS Auditor] Truncate data URLs at quotes
authordbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Sep 2016 21:33:20 +0000 (21:33 +0000)
committerdbates@webkit.org <dbates@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 22 Sep 2016 21:33:20 +0000 (21:33 +0000)
https://bugs.webkit.org/show_bug.cgi?id=161937

Reviewed by David Kilzer.

Source/WebCore:

Merged from Blink:
<https://chromium.googlesource.com/chromium/src/+/c6d6331190dd43f09459e2341c3111e796f9de12/>

Truncate a data URL at the first single or double quote character to avoid considering
characters that may come from the page content following an injected data URL.

Test: http/tests/security/xssAuditor/script-tag-with-source-data-url4.html

* html/parser/XSSAuditor.cpp:
(WebCore::truncateForSrcLikeAttribute):

LayoutTests:

* http/tests/security/xssAuditor/resources/echo-property.pl:
* http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-source-data-url4.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@206276 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditor.cpp

index bf157b4..6bc3d3d 100644 (file)
@@ -1,3 +1,14 @@
+2016-09-22  Daniel Bates  <dabates@apple.com>
+
+        [XSS Auditor] Truncate data URLs at quotes
+        https://bugs.webkit.org/show_bug.cgi?id=161937
+
+        Reviewed by David Kilzer.
+
+        * http/tests/security/xssAuditor/resources/echo-property.pl:
+        * http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-with-source-data-url4.html: Added.
+
 2016-09-22  Ryan Haddad  <ryanhaddad@apple.com>
 
         Marking imported/w3c/web-platform-tests/media-source/mediasource-duration.html as flaky on mac.
index c60e081..49cfab7 100755 (executable)
@@ -14,5 +14,6 @@ if ($cgi->param('clutter')) {
     print $cgi->param('clutter');
 }
 print "\">\n";
+print "<script>var y = 123;</script>";
 print "</body>\n";
 print "</html>\n";
diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt
new file mode 100644 (file)
index 0000000..17d7459
--- /dev/null
@@ -0,0 +1,2 @@
+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%3E%3Cscript%20src%3ddata:,alert(1)%3bhey%%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url4.html
new file mode 100644 (file)
index 0000000..0851981
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+  testRunner.dumpAsText();
+  testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22><script src%3ddata:,alert(1)%3bhey%%22">
+</iframe>
+</body>
+</html>
index 3227a8f..4e7a185 100644 (file)
@@ -1,5 +1,23 @@
 2016-09-22  Daniel Bates  <dabates@apple.com>
 
+        [XSS Auditor] Truncate data URLs at quotes
+        https://bugs.webkit.org/show_bug.cgi?id=161937
+
+        Reviewed by David Kilzer.
+
+        Merged from Blink: 
+        <https://chromium.googlesource.com/chromium/src/+/c6d6331190dd43f09459e2341c3111e796f9de12/>
+
+        Truncate a data URL at the first single or double quote character to avoid considering
+        characters that may come from the page content following an injected data URL.
+
+        Test: http/tests/security/xssAuditor/script-tag-with-source-data-url4.html
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::truncateForSrcLikeAttribute):
+
+2016-09-22  Daniel Bates  <dabates@apple.com>
+
         Remove more ENABLE(TEXT_AUTOSIZING) code
         https://bugs.webkit.org/show_bug.cgi?id=162456
 
index 022fe42..d9afff4 100644 (file)
@@ -178,11 +178,14 @@ static void truncateForSrcLikeAttribute(String& decodedSnippet)
 {
     // In HTTP URLs, characters following the first ?, #, or third slash may come from
     // the page itself and can be merely ignored by an attacker's server when a remote
-    // script or script-like resource is requested. In DATA URLS, the payload starts at
-    // the first comma, and the the first /*, //, or <!-- may introduce a comment. Characters
-    // following this may come from the page itself and may be ignored when the script is
-    // executed. For simplicity, we don't differentiate based on URL scheme, and stop at
-    // the first # or ?, the third slash, or the first slash or < once a comma is seen.
+    // script or script-like resource is requested. In data URLs, the payload starts at
+    // the first comma, and the first /*, //, or <!-- may introduce a comment. Also
+    // data URLs may use the same string literal tricks as with script content itself.
+    // In either case, content following this may come from the page and may be ignored
+    // when the script is executed.
+    // For simplicity, we don't differentiate based on URL scheme, and stop at
+    // the first # or ?, the third slash, or the first slash, <, ', or " once a comma
+    // is seen.
     int slashCount = 0;
     bool commaSeen = false;
     for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
@@ -190,7 +193,9 @@ static void truncateForSrcLikeAttribute(String& decodedSnippet)
         if (currentChar == '?'
             || currentChar == '#'
             || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))
-            || (currentChar == '<' && commaSeen)) {
+            || (currentChar == '<' && commaSeen)
+            || (currentChar == '\'' && commaSeen)
+            || (currentChar == '"' && commaSeen)) {
             decodedSnippet.truncate(currentLength);
             return;
         }