2011-02-04 Adam Barth <abarth@webkit.org>
authorabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 5 Feb 2011 05:17:30 +0000 (05:17 +0000)
committerabarth@webkit.org <abarth@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Sat, 5 Feb 2011 05:17:30 +0000 (05:17 +0000)
        Reviewed by Maciej Stachowiak.

        Crash in WebCore::TextEncoding::decode below XSSFilter::init
        https://bugs.webkit.org/show_bug.cgi?id=53837

        Test that we can successfully execute a JavaScript URL when it isn't
        blocked by the filter.

        * http/tests/security/xssAuditor/non-block-javascript-url-frame-expected.txt: Added.
        * http/tests/security/xssAuditor/non-block-javascript-url-frame.html: Added.
2011-02-04  Adam Barth  <abarth@webkit.org>

        Reviewed by Maciej Stachowiak.

        Crash in WebCore::TextEncoding::decode below XSSFilter::init
        https://bugs.webkit.org/show_bug.cgi?id=53837

        Add missing null check.

        Test: http/tests/security/xssAuditor/non-block-javascript-url-frame.html

        * html/parser/XSSFilter.cpp:
        (WebCore::XSSFilter::init):

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77730 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/non-block-javascript-url-frame-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/non-block-javascript-url-frame.html [new file with mode: 0644]
Source/WebCore/ChangeLog
Source/WebCore/html/parser/XSSFilter.cpp

index f605776e39948a30759ba686983a2b50d62f31bc..061fb9ad7549988ed695002355e152abf68dbd5a 100644 (file)
@@ -1,3 +1,16 @@
+2011-02-04  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Maciej Stachowiak.
+
+        Crash in WebCore::TextEncoding::decode below XSSFilter::init
+        https://bugs.webkit.org/show_bug.cgi?id=53837
+
+        Test that we can successfully execute a JavaScript URL when it isn't
+        blocked by the filter.
+
+        * http/tests/security/xssAuditor/non-block-javascript-url-frame-expected.txt: Added.
+        * http/tests/security/xssAuditor/non-block-javascript-url-frame.html: Added.
+
 2011-02-04  Maciej Stachowiak  <mjs@apple.com>
 
         Reviewed by Adam Barth.
diff --git a/LayoutTests/http/tests/security/xssAuditor/non-block-javascript-url-frame-expected.txt b/LayoutTests/http/tests/security/xssAuditor/non-block-javascript-url-frame-expected.txt
new file mode 100644 (file)
index 0000000..e8c22b8
--- /dev/null
@@ -0,0 +1,6 @@
+
+
+--------
+Frame: '<!--framePath //<!--frame0-->-->'
+--------
+PASS
diff --git a/LayoutTests/http/tests/security/xssAuditor/non-block-javascript-url-frame.html b/LayoutTests/http/tests/security/xssAuditor/non-block-javascript-url-frame.html
new file mode 100644 (file)
index 0000000..4bb53e9
--- /dev/null
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.setXSSAuditorEnabled(true);
+  layoutTestController.dumpChildFramesAsText();
+}
+</script>
+</head>
+<body>
+<iframe src="javascript:'PASS'"></iframe>
+</body>
+</html>
index a56007c3bfc0f0a0b976cd2332d753b77104c45c..cfa606c2995b84feda5f08aa69b7bd354bb2325b 100644 (file)
@@ -1,3 +1,17 @@
+2011-02-04  Adam Barth  <abarth@webkit.org>
+
+        Reviewed by Maciej Stachowiak.
+
+        Crash in WebCore::TextEncoding::decode below XSSFilter::init
+        https://bugs.webkit.org/show_bug.cgi?id=53837
+
+        Add missing null check.
+
+        Test: http/tests/security/xssAuditor/non-block-javascript-url-frame.html
+
+        * html/parser/XSSFilter.cpp:
+        (WebCore::XSSFilter::init):
+
 2011-02-04  Simon Fraser  <simon.fraser@apple.com>
 
         Reviewed by Dan Bernstein.
index a70574f7b2020186746e4a1ed9d922ae5d334dd3..de31f76334ca0b3a479ff13681fc5378c3e7ee7f 100644 (file)
@@ -156,13 +156,15 @@ void XSSFilter::init()
         return;
     }
 
-    const TextEncoding& encoding = m_parser->document()->decoder()->encoding();
     const KURL& url = m_parser->document()->url();
+
     if (url.protocolIsData()) {
         m_isEnabled = false;
         return;
     }
-    m_decodedURL = decodeURL(url.string(), encoding);
+
+    TextResourceDecoder* decoder = m_parser->document()->decoder();
+    m_decodedURL = decoder ? decodeURL(url.string(), decoder->encoding()) : url.string();
     if (m_decodedURL.find(isRequiredForInjection, 0) == notFound)
         m_decodedURL = String();
 
@@ -172,7 +174,8 @@ void XSSFilter::init()
 
         FormData* httpBody = documentLoader->originalRequest().httpBody();
         if (httpBody && !httpBody->isEmpty()) {
-            m_decodedHTTPBody = decodeURL(httpBody->flattenToString(), encoding);
+            String httpBodyAsString = httpBody->flattenToString();
+            m_decodedHTTPBody = decoder ? decodeURL(httpBodyAsString, decoder->encoding()) : httpBodyAsString;
             if (m_decodedHTTPBody.find(isRequiredForInjection, 0) == notFound)
                 m_decodedHTTPBody = String();
             if (m_decodedHTTPBody.length() >= miniumLengthForSuffixTree)