XSS Auditor bypass via svg tags and xlink:href
authorcommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 4 Feb 2013 19:48:42 +0000 (19:48 +0000)
committercommit-queue@webkit.org <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 4 Feb 2013 19:48:42 +0000 (19:48 +0000)
https://bugs.webkit.org/show_bug.cgi?id=84158

Source/WebCore:

This patch adds a test for the xlink:href attribute inside of
script tokens. The test is complicated by the namespacing; the
xlink hrefAttr qualified name does not contain a literal "xlink"
prefix but only the URI of the namespace.

Patch by Tom Sepez <tsepez@chromiium.org> on 2013-02-04
Reviewed by Adam Barth.

Test: http/tests/security/xssAuditor/svg-script-tag.html

* html/parser/XSSAuditor.cpp:
(WebCore::findAttributeWithName):
(WebCore::XSSAuditor::filterScriptToken):

LayoutTests:

Patch by Tom Sepez <tsepez@chromiium.org> on 2013-02-04
Reviewed by Adam Barth.

* http/tests/security/xssAuditor/svg-script-tag-expected.txt: Added.
* http/tests/security/xssAuditor/svg-script-tag.html: Added.

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@141791 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/svg-script-tag.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSAuditor.cpp

index b487838aaf401c6eac91e10379c9e7e3c5f3a09d..477e6cf2a5eedae958e88dc67512f500b1f4bffa 100644 (file)
@@ -1,3 +1,13 @@
+2013-02-04  Tom Sepez  <tsepez@chromiium.org>
+
+        XSS Auditor bypass via svg tags and xlink:href
+        https://bugs.webkit.org/show_bug.cgi?id=84158
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/xssAuditor/svg-script-tag-expected.txt: Added.
+        * http/tests/security/xssAuditor/svg-script-tag.html: Added.
+
 2013-02-04  Julien Chaffraix  <jchaffraix@webkit.org>
 
         [CSS Grid Layout] Add parsing for grid-auto-flow
diff --git a/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt b/LayoutTests/http/tests/security/xssAuditor/svg-script-tag-expected.txt
new file mode 100644 (file)
index 0000000..8e1f42d
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 4: Refused to execute a JavaScript script. Source code of script found within request.
+
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/svg-script-tag.html b/LayoutTests/http/tests/security/xssAuditor/svg-script-tag.html
new file mode 100644 (file)
index 0000000..301704d
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+  testRunner.dumpAsText();
+  testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3csvg%3e%3cscript%20XLinK:href='data:text/html,alert(0)'%3e%3c/script%3e%3c/svg%3e">
+</iframe>
+</body>
+</html>
index fae2d67551bdce39957876eb626eee536c7804c7..effd584bc5f7841b5b1bf1bb2c34cb7421b0087d 100644 (file)
@@ -1,3 +1,21 @@
+2013-02-04  Tom Sepez  <tsepez@chromiium.org>
+
+        XSS Auditor bypass via svg tags and xlink:href
+        https://bugs.webkit.org/show_bug.cgi?id=84158
+
+        This patch adds a test for the xlink:href attribute inside of
+        script tokens. The test is complicated by the namespacing; the
+        xlink hrefAttr qualified name does not contain a literal "xlink"
+        prefix but only the URI of the namespace.
+        
+        Reviewed by Adam Barth.
+
+        Test: http/tests/security/xssAuditor/svg-script-tag.html
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::findAttributeWithName):
+        (WebCore::XSSAuditor::filterScriptToken):
+
 2013-02-04  Eric Carlson  <eric.carlson@apple.com>
 
         Update CaptionUserPreferences
index 9efa2828e49fdd5c4c9a3d0ae3f9bf35ca2206a4..7d6a7fb36e31fa3c96b6099a0e9d88fb44b9a0ca 100644 (file)
@@ -49,6 +49,7 @@
 #include "Settings.h"
 #include "TextEncoding.h"
 #include "TextResourceDecoder.h"
+#include "XLinkNames.h"
 
 #include <wtf/Functional.h>
 #include <wtf/MainThread.h>
@@ -118,8 +119,13 @@ static bool hasName(const HTMLToken& token, const QualifiedName& name)
 
 static bool findAttributeWithName(const HTMLToken& token, const QualifiedName& name, size_t& indexOfMatchingAttribute)
 {
+    String attrName = name.localName().string();
+
+    if (name.namespaceURI() == XLinkNames::xlinkNamespaceURI)
+        attrName = "xlink:" + attrName;
+
     for (size_t i = 0; i < token.attributes().size(); ++i) {
-        if (equalIgnoringNullity(token.attributes().at(i).m_name, name.localName())) {
+        if (equalIgnoringNullity(token.attributes().at(i).m_name, attrName)) {
             indexOfMatchingAttribute = i;
             return true;
         }
@@ -357,10 +363,13 @@ bool XSSAuditor::filterScriptToken(HTMLToken& token)
     m_cachedDecodedSnippet = decodedSnippetForName(token);
     m_shouldAllowCDATA = m_parser->tokenizer()->shouldAllowCDATA();
 
-    if (isContainedInRequest(decodedSnippetForName(token)))
-        return eraseAttributeIfInjected(token, srcAttr, blankURL().string(), SrcLikeAttribute);
+    bool didBlockScript = false;
+    if (isContainedInRequest(decodedSnippetForName(token))) {
+        didBlockScript |= eraseAttributeIfInjected(token, srcAttr, blankURL().string(), SrcLikeAttribute);
+        didBlockScript |= eraseAttributeIfInjected(token, XLinkNames::hrefAttr, blankURL().string(), SrcLikeAttribute);
+    }
 
-    return false;
+    return didBlockScript;
 }
 
 bool XSSAuditor::filterObjectToken(HTMLToken& token)