Skip to site navigation (Press enter)

[webkit-changes] [107967] trunk

tsepez Thu, 16 Feb 2012 14:03:43 -0800

Title: [107967] trunk

Revision: 107967
Author: tse...@chromium.org
Date: 2012-02-16 12:30:09 -0800 (Thu, 16 Feb 2012)

Log Message

XSS Auditor bypass with U+2028/2029
https://bugs.webkit.org/show_bug.cgi?id=78732


Reviewed by Adam Barth.

Source/WebCore:

Test: http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html

* html/parser/XSSAuditor.cpp:
(WebCore::isJSNewline):
(WebCore::XSSAuditor::snippetForJavaScript):

LayoutTests:

* http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html: Added.

Modified Paths

trunk/LayoutTests/ChangeLog
trunk/Source/WebCore/ChangeLog
trunk/Source/WebCore/html/parser/XSSAuditor.cpp

Added Paths

trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html

Diff

Modified: trunk/LayoutTests/ChangeLog (107966 => 107967)


--- trunk/LayoutTests/ChangeLog	2012-02-16 20:19:57 UTC (rev 107966)
+++ trunk/LayoutTests/ChangeLog	2012-02-16 20:30:09 UTC (rev 107967)
@@ -1,3 +1,13 @@
+2012-02-16  Tom Sepez  <tse...@chromium.org>
+
+        XSS Auditor bypass with U+2028/2029
+        https://bugs.webkit.org/show_bug.cgi?id=78732
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html: Added.
+
 2012-02-16  Abhishek Arya  <infe...@chromium.org>
 
         Fix clone() function to handle descendant classes of RenderBlock.

Added: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt (0 => 107967)


--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028-expected.txt	2012-02-16 20:30:09 UTC (rev 107967)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
+
+

Added: trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html (0 => 107967)


--- trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html	                        (rev 0)
+++ trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html	2012-02-16 20:30:09 UTC (rev 107967)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src=""
+</iframe>
+</body>
+</html>

Modified: trunk/Source/WebCore/ChangeLog (107966 => 107967)


--- trunk/Source/WebCore/ChangeLog	2012-02-16 20:19:57 UTC (rev 107966)
+++ trunk/Source/WebCore/ChangeLog	2012-02-16 20:30:09 UTC (rev 107967)
@@ -1,3 +1,16 @@
+2012-02-16  Tom Sepez  <tse...@chromium.org>
+
+        XSS Auditor bypass with U+2028/2029
+        https://bugs.webkit.org/show_bug.cgi?id=78732
+
+        Reviewed by Adam Barth.
+
+        Test: http/tests/security/xssAuditor/script-tag-with-trailing-comment-U2028.html
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::isJSNewline):
+        (WebCore::XSSAuditor::snippetForJavaScript):
+
 2012-02-15  Mark Rowe  <mr...@apple.com>
 
         NPN_GetValueForURL / NPNURLVProxy returns DIRECT when proxy configured via PAC

Modified: trunk/Source/WebCore/html/parser/XSSAuditor.cpp (107966 => 107967)


--- trunk/Source/WebCore/html/parser/XSSAuditor.cpp	2012-02-16 20:19:57 UTC (rev 107966)
+++ trunk/Source/WebCore/html/parser/XSSAuditor.cpp	2012-02-16 20:30:09 UTC (rev 107967)
@@ -81,9 +81,10 @@
     return (c == '"' || c == '\'');
 }
 
-static bool isHTMLNewline(UChar c)
+static bool isJSNewline(UChar c)
 {
-    return (c == '\n' || c == '\r');
+    // Per ecma-262 section 7.3 Line Terminators.
+    return (c == '\n' || c == '\r' || c == 0x2028 || c == 0x2029);
 }
 
 static bool startsHTMLEndTagAt(const String& string, size_t start)
@@ -603,7 +604,7 @@
         while (startPosition < endPosition && isHTMLSpace(string[startPosition]))
             startPosition++;
         if (startsHTMLCommentAt(string, startPosition) || startsSingleLineCommentAt(string, startPosition)) {
-            while (startPosition < endPosition && !isHTMLNewline(string[startPosition]))
+            while (startPosition < endPosition && !isJSNewline(string[startPosition]))
                 startPosition++;
         } else if (startsMultiLineCommentAt(string, startPosition)) {
             if ((foundPosition = string.find("*/", startPosition)) != notFound)

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes