Skip to site navigation (Press enter)

[webkit-changes] [124108] branches/safari-536.26-branch

lforschler Mon, 30 Jul 2012 16:06:52 -0700

Title: [124108] branches/safari-536.26-branch

Revision: 124108
Author: lforsch...@apple.com
Date: 2012-07-30 16:06:57 -0700 (Mon, 30 Jul 2012)

Log Message

Merged r119184.  <rdar://problem/11942161>


Modified Paths

branches/safari-536.26-branch/LayoutTests/ChangeLog
branches/safari-536.26-branch/Source/WebCore/ChangeLog
branches/safari-536.26-branch/Source/WebCore/html/parser/XSSAuditor.cpp


Added Paths

branches/safari-536.26-branch/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt
branches/safari-536.26-branch/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4.html

Diff

Modified: branches/safari-536.26-branch/LayoutTests/ChangeLog (124107 => 124108)


--- branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-07-30 22:45:21 UTC (rev 124107)
+++ branches/safari-536.26-branch/LayoutTests/ChangeLog	2012-07-30 23:06:57 UTC (rev 124108)
@@ -1,5 +1,21 @@
 2012-07-30  Lucas Forschler  <lforsch...@apple.com>
 
+    Merge 119184
+
+    2012-05-31  Tom Sepez  <tse...@chromium.org>
+
+            XSSAuditor bypass with leading /*///*/ comment
+            https://bugs.webkit.org/show_bug.cgi?id=88002
+
+            Reviewed by Adam Barth.
+
+            Fixes issue in xssauditor's parsing of /*/.
+
+            * http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt: Added.
+            * http/tests/security/xssAuditor/script-tag-with-trailing-comment4.html: Added.
+
+2012-07-30  Lucas Forschler  <lforsch...@apple.com>
+
     Merge 118478 (required 118143)
 
     2012-05-24  Dominic Mazzoni  <dmazz...@google.com>

Copied: branches/safari-536.26-branch/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt (from rev 119184, trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt) (0 => 124108)


--- branches/safari-536.26-branch/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4-expected.txt	2012-07-30 23:06:57 UTC (rev 124108)
@@ -0,0 +1,3 @@
+CONSOLE MESSAGE: Refused to execute a _javascript_ script. Source code of script found within request.
+
+

Copied: branches/safari-536.26-branch/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4.html (from rev 119184, trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4.html) (0 => 124108)


--- branches/safari-536.26-branch/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4.html	                        (rev 0)
+++ branches/safari-536.26-branch/LayoutTests/http/tests/security/xssAuditor/script-tag-with-trailing-comment4.html	2012-07-30 23:06:57 UTC (rev 124108)
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src=""
+</iframe>
+</body>
+</html>

Modified: branches/safari-536.26-branch/Source/WebCore/ChangeLog (124107 => 124108)


--- branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-07-30 22:45:21 UTC (rev 124107)
+++ branches/safari-536.26-branch/Source/WebCore/ChangeLog	2012-07-30 23:06:57 UTC (rev 124108)
@@ -1,5 +1,23 @@
 2012-07-30  Lucas Forschler  <lforsch...@apple.com>
 
+    Merge 119184
+
+    2012-05-31  Tom Sepez  <tse...@chromium.org>
+
+            XSSAuditor bypass with leading /*///*/ comment
+            https://bugs.webkit.org/show_bug.cgi?id=88002
+
+            Reviewed by Adam Barth.
+
+            Fixes issue in xssauditor's parsing of /*/.
+
+            Test: http/tests/security/xssAuditor/script-tag-with-trailing-comment4.html
+
+            * html/parser/XSSAuditor.cpp:
+            (WebCore::XSSAuditor::decodedSnippetForJavaScript):
+
+2012-07-30  Lucas Forschler  <lforsch...@apple.com>
+
     Merge 118542
 
     2012-05-25  Ken Buchanan  <ke...@chromium.org>

Modified: branches/safari-536.26-branch/Source/WebCore/html/parser/XSSAuditor.cpp (124107 => 124108)


--- branches/safari-536.26-branch/Source/WebCore/html/parser/XSSAuditor.cpp	2012-07-30 22:45:21 UTC (rev 124107)
+++ branches/safari-536.26-branch/Source/WebCore/html/parser/XSSAuditor.cpp	2012-07-30 23:06:57 UTC (rev 124108)
@@ -557,7 +557,7 @@
             while (startPosition < endPosition && !isJSNewline(string[startPosition]))
                 startPosition++;
         } else if (startsMultiLineCommentAt(string, startPosition)) {
-            if ((foundPosition = string.find("*/", startPosition)) != notFound)
+            if (startPosition + 2 < endPosition && (foundPosition = string.find("*/", startPosition + 2)) != notFound)
                 startPosition = foundPosition + 2;
             else
                 startPosition = endPosition;

_______________________________________________
webkit-changes mailing list
webkit-changes@lists.webkit.org
http://lists.webkit.org/mailman/listinfo/webkit-changes