+2012-03-22 Tom Sepez <tsepez@chromium.org>
+
+ XSS Auditor bypass via script tag src=data:, URLS.
+ https://bugs.webkit.org/show_bug.cgi?id=81948
+
+ Reviewed by Adam Barth.
+
+ Add a test that data: URLs can't bypass xssauditor with trailing comments.
+
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url2-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url2.html: Added.
+
2012-03-22 Dave Tharp <dtharp@codeaurora.org>
QT 4.8 soft hyphen bug has no failing test case
+2012-03-22 Tom Sepez <tsepez@chromium.org>
+
+ XSS Auditor bypass via script tag src=data:, URLS.
+ https://bugs.webkit.org/show_bug.cgi?id=81948
+
+ Reviewed by Adam Barth.
+
+ This change fixes an XSSAuditor bypass wherby a script with a data: URL src
+ attribute could evade detection by using characters from the page to create
+ a snippet for matching not found in the URL's reflected vector. This change
+ terminates the snippet for matching earlier in these cases.
+
+ Test: http/tests/security/xssAuditor/script-tag-with-source-data-url2.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::decodedSnippetForAttribute):
+
2012-03-22 Dana Jansens <danakj@chromium.org>
[chromium] Incorrect assert on animating opacity for a surface
String decodedSnippet = fullyDecodeString(m_parser->sourceForToken(token).substring(start, end - start), m_parser->document()->decoder());
decodedSnippet.truncate(kMaximumFragmentLengthTarget);
if (treatment == SrcLikeAttribute) {
- int slashCount;
- size_t currentLength;
- // Characters following the first ?, #, or third slash may come from
- // the page itself and can be merely ignored by an attacker's server
- // when a remote script or script-like resource is requested.
- for (slashCount = 0, currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
- if (decodedSnippet[currentLength] == '?' || decodedSnippet[currentLength] == '#'
- || ((decodedSnippet[currentLength] == '/' || decodedSnippet[currentLength] == '\\') && ++slashCount > 2)) {
+ int slashCount = 0;
+ bool commaSeen = false;
+ // In HTTP URLs, characters following the first ?, #, or third slash may come from
+ // the page itself and can be merely ignored by an attacker's server when a remote
+ // script or script-like resource is requested. In DATA URLS, the payload starts at
+ // the first comma, and the the first /* or // may introduce a comment. Characters
+ // following this may come from the page itself and may be ignored when the script is
+ // executed. For simplicity, we don't differentiate based on URL scheme, and stop at
+ // the first # or ?, the third slash, or the first slash once a comma is seen.
+ for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
+ UChar currentChar = decodedSnippet[currentLength];
+ if (currentChar == '?' || currentChar == '#' || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))) {
decodedSnippet.truncate(currentLength);
break;
}
+ if (currentChar == ',')
+ commaSeen = true;
}
}
return decodedSnippet;