2009-09-16 Daniel Bates <dbates@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 17 Sep 2009 06:45:17 +0000 (06:45 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Thu, 17 Sep 2009 06:45:17 +0000 (06:45 +0000)
        Reviewed by Darin Adler.

        https://bugs.webkit.org/show_bug.cgi?id=29306

        Tests that scripts with accented characters do not bypass the XSSAuditor.

        * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt: Added.
        * http/tests/security/xssAuditor/img-onerror-accented-char.html: Added.
2009-09-16  Daniel Bates  <dbates@webkit.org>

        Reviewed by Darin Adler.

        https://bugs.webkit.org/show_bug.cgi?id=29306

        Fixes an issue where an attack that contains accented characters can
        bypass the XSSAuditor.

        XSSAuditor::decodeURL used the wrong length for the input string.
        When the input string was decoded, the decoded result was truncated.
        Hence, XSSAuditor was comparing the source code of the script to the
        truncated input parameters.

        Test: http/tests/security/xssAuditor/img-onerror-accented-char.html

        * page/XSSAuditor.cpp:
        (WebCore::XSSAuditor::decodeURL):

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@48458 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/page/XSSAuditor.cpp

index 50a771eca87184ed040d92f6e4c09a97c942bb19..028f2b619dc461128503e582765b247cb9dc0dc0 100644 (file)
@@ -1,3 +1,14 @@
+2009-09-16  Daniel Bates  <dbates@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=29306
+        
+        Tests that scripts with accented characters do not bypass the XSSAuditor.
+
+        * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt: Added.
+        * http/tests/security/xssAuditor/img-onerror-accented-char.html: Added.
+
 2009-09-16  Adam Barth  <abarth@webkit.org>
 
         Unreviewed.  Added new isolated world test to the skipped list.
diff --git a/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt b/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt
new file mode 100644 (file)
index 0000000..513e2f8
--- /dev/null
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char.html b/LayoutTests/http/tests/security/xssAuditor/img-onerror-accented-char.html
new file mode 100644 (file)
index 0000000..fcfcd6f
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=<img%20src=ä%20onerror=alert(%27ä%27)>">
+</iframe>
+</body>
+</html>
index 95bd23211101284c1b2f2fd0764ff8d53e815d2b..8a278ce4c2360663dfcc6fd42899412677474a24 100644 (file)
@@ -1,3 +1,22 @@
+2009-09-16  Daniel Bates  <dbates@webkit.org>
+
+        Reviewed by Darin Adler.
+
+        https://bugs.webkit.org/show_bug.cgi?id=29306
+        
+        Fixes an issue where an attack that contains accented characters can
+        bypass the XSSAuditor.
+        
+        XSSAuditor::decodeURL used the wrong length for the input string. 
+        When the input string was decoded, the decoded result was truncated.
+        Hence, XSSAuditor was comparing the source code of the script to the 
+        truncated input parameters.
+
+        Test: http/tests/security/xssAuditor/img-onerror-accented-char.html
+
+        * page/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::decodeURL):
+
 2009-09-16  Brady Eidson  <beidson@apple.com>
 
         Reviewed by Sam Weinig.
index c33cbe410e70135da08b27c8b99743c335c282ab..df627d341ce1ec8b7281c4b7f7f4b36a2e84e5e2 100644 (file)
@@ -175,7 +175,8 @@ String XSSAuditor::decodeURL(const String& string, const TextEncoding& encoding,
 
     url.replace('+', ' ');
     result = decodeURLEscapeSequences(url);
-    String decodedResult = encoding.decode(result.utf8().data(), result.length());
+    CString utf8Url = result.utf8();
+    String decodedResult = encoding.decode(utf8Url.data(), utf8Url.length());
     if (!decodedResult.isEmpty())
         result = decodedResult;
     if (decodeEntities)