Changeset 108551 in webkit

Timestamp:

Feb 22, 2012 2:21:14 PM (12 years ago)

Author:

tsepez@chromium.org

Message:

XSSAuditor bypass with <svg> tags and html-entities.
​https://bugs.webkit.org/show_bug.cgi?id=78836

Reviewed by Adam Barth.

Source/WebCore:

Tests: http/tests/security/xssAuditor/iframe-onload-in-svg-tag.html

http/tests/security/xssAuditor/script-tag-inside-svg-tag.html
http/tests/security/xssAuditor/script-tag-inside-svg-tag2.html
http/tests/security/xssAuditor/script-tag-inside-svg-tag3.html

• html/parser/XSSAuditor.cpp:

(WebCore::isNonCanonicalCharacter):
(WebCore::isTerminatingCharacter):
(WebCore):
(WebCore::startsHTMLCommentAt):
(WebCore::startsSingleLineCommentAt):
(WebCore::fullyDecodeString):
(WebCore::XSSAuditor::XSSAuditor):
(WebCore::XSSAuditor::init):
(WebCore::XSSAuditor::filterToken):
(WebCore::XSSAuditor::filterStartToken):
(WebCore::XSSAuditor::filterEndToken):
(WebCore::XSSAuditor::filterCharacterToken):
(WebCore::XSSAuditor::filterScriptToken):
(WebCore::XSSAuditor::filterObjectToken):
(WebCore::XSSAuditor::filterParamToken):
(WebCore::XSSAuditor::filterEmbedToken):
(WebCore::XSSAuditor::filterAppletToken):
(WebCore::XSSAuditor::filterIframeToken):
(WebCore::XSSAuditor::filterMetaToken):
(WebCore::XSSAuditor::filterBaseToken):
(WebCore::XSSAuditor::filterFormToken):
(WebCore::XSSAuditor::decodedSnippetForAttribute):
(WebCore::XSSAuditor::snippetForJavaScript):

• html/parser/XSSAuditor.h:

(XSSAuditor):

LayoutTests:

• http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt: Added.
• http/tests/security/xssAuditor/iframe-onload-in-svg-tag.html: Added.
• http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt: Added.
• http/tests/security/xssAuditor/script-tag-inside-svg-tag.html: Added.
• http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt: Added.
• http/tests/security/xssAuditor/script-tag-inside-svg-tag2.html: Added.
• http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt: Added.
• http/tests/security/xssAuditor/script-tag-inside-svg-tag3.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/iframe-onload-in-svg-tag.html (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag.html (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag2.html (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/script-tag-inside-svg-tag3.html (added)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/parser/XSSAuditor.cpp (modified) (26 diffs)
• Source/WebCore/html/parser/XSSAuditor.h (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2012-02-22  Tom Sepez  <tsepez@chromium.org>
+
+        XSSAuditor bypass with <svg> tags and html-entities.
+        https://bugs.webkit.org/show_bug.cgi?id=78836
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/xssAuditor/iframe-onload-in-svg-tag-expected.txt: Added.
+        * http/tests/security/xssAuditor/iframe-onload-in-svg-tag.html: Added.
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag.html: Added.
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag2-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag2.html: Added.
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag3-expected.txt: Added.
+        * http/tests/security/xssAuditor/script-tag-inside-svg-tag3.html: Added.
+
 2012-02-22  Ken Buchanan  <kenrb@chromium.org>
 

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2012-02-22  Tom Sepez  <tsepez@chromium.org>
+
+        XSSAuditor bypass with <svg> tags and html-entities.
+        https://bugs.webkit.org/show_bug.cgi?id=78836
+
+        Reviewed by Adam Barth.
+
+        Tests: http/tests/security/xssAuditor/iframe-onload-in-svg-tag.html
+               http/tests/security/xssAuditor/script-tag-inside-svg-tag.html
+               http/tests/security/xssAuditor/script-tag-inside-svg-tag2.html
+               http/tests/security/xssAuditor/script-tag-inside-svg-tag3.html
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::isNonCanonicalCharacter):
+        (WebCore::isTerminatingCharacter):
+        (WebCore):
+        (WebCore::startsHTMLCommentAt):
+        (WebCore::startsSingleLineCommentAt):
+        (WebCore::fullyDecodeString):
+        (WebCore::XSSAuditor::XSSAuditor):
+        (WebCore::XSSAuditor::init):
+        (WebCore::XSSAuditor::filterToken):
+        (WebCore::XSSAuditor::filterStartToken):
+        (WebCore::XSSAuditor::filterEndToken):
+        (WebCore::XSSAuditor::filterCharacterToken):
+        (WebCore::XSSAuditor::filterScriptToken):
+        (WebCore::XSSAuditor::filterObjectToken):
+        (WebCore::XSSAuditor::filterParamToken):
+        (WebCore::XSSAuditor::filterEmbedToken):
+        (WebCore::XSSAuditor::filterAppletToken):
+        (WebCore::XSSAuditor::filterIframeToken):
+        (WebCore::XSSAuditor::filterMetaToken):
+        (WebCore::XSSAuditor::filterBaseToken):
+        (WebCore::XSSAuditor::filterFormToken):
+        (WebCore::XSSAuditor::decodedSnippetForAttribute):
+        (WebCore::XSSAuditor::snippetForJavaScript):
+        * html/parser/XSSAuditor.h:
+        (XSSAuditor):
+
 2012-02-22  Anders Carlsson  <andersca@apple.com>
 

trunk/Source/WebCore/html/parser/XSSAuditor.cpp

@@ -37 +37 @@
 #include "HTMLDocumentParser.h"
 #include "HTMLNames.h"
+#include "HTMLTokenizer.h"
 #include "HTMLParamElement.h"
 #include "HTMLParserIdioms.h"
@@ -55 +56 @@
     //
     // Note, we don't remove backslashes like PHP stripslashes(), which among other things converts "\\0" to the \0 character.
-    // Instead, we remove backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0"). However, this has the 
+    // Instead, we remove backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0"). However, this has the
     // adverse effect that we remove any legitimate zeros from a string.
     //
@@ -72 +73 @@
 }
 
-static bool isTerminatingCharacter(UChar c) 
+static bool isTerminatingCharacter(UChar c)
 {
     return (c == '&' || c == '/' || c == '"' || c == '\'' || c == '<');
@@ -88 +89 @@
 }
 
-static bool startsHTMLEndTagAt(const String& string, size_t start)
-{
-    return (start + 1 < string.length() && string[start] == '<' && string[start+1] == '/');
-}    
-
-
 static bool startsHTMLCommentAt(const String& string, size_t start)
 {
     return (start + 3 < string.length() && string[start] == '<' && string[start+1] == '!' && string[start+2] == '-' && string[start+3] == '-');
-}    
+}
 
 static bool startsSingleLineCommentAt(const String& string, size_t start)
 {
     return (start + 1 < string.length() && string[start] == '/' && string[start+1] == '/');
-}    
+}
 
 static bool startsMultiLineCommentAt(const String& string, size_t start)
@@ -178 +173 @@
         workingString = decode16BitUnicodeEscapeSequences(decodeStandardURLEscapeSequences(workingString, encoding));
     } while (workingString.length() < oldWorkingStringLength);
-    ASSERT(!workingString.isEmpty());
     workingString.replace('+', ' ');
     workingString = canonicalize(workingString);
@@ -189 +183 @@
     , m_xssProtection(XSSProtectionEnabled)
     , m_state(Uninitialized)
+    , m_shouldAllowCDATA(false)
+    , m_scriptTagNestingLevel(0)
     , m_notifiedClient(false)
 {
@@ -206 +202 @@
 
     ASSERT(m_state == Uninitialized);
-    m_state = Initial;
+    m_state = Initialized;
 
     if (!m_isEnabled)
@@ -259 +255 @@
 void XSSAuditor::filterToken(HTMLToken& token)
 {
-    if (m_state == Uninitialized) {
+    if (m_state == Uninitialized)
         init();
-        ASSERT(m_state == Initial);
-    }
-
+   
+    ASSERT(m_state == Initialized);
     if (!m_isEnabled || m_xssProtection == XSSProtectionDisabled)
         return;
 
     bool didBlockScript = false;
-
-    switch (m_state) {
-    case Uninitialized:
-        ASSERT_NOT_REACHED();
-        break;
-    case Initial:
-        didBlockScript = filterTokenInitial(token);
-        break;
-    case AfterScriptStartTag:
-        didBlockScript = filterTokenAfterScriptStartTag(token);
-        ASSERT(m_state == Initial);
-        m_cachedSnippet = String();
-        break;
+    if (token.type() == HTMLTokenTypes::StartTag)
+        didBlockScript = filterStartToken(token);
+    else if (m_scriptTagNestingLevel) {
+        if (token.type() == HTMLTokenTypes::Character)
+            didBlockScript = filterCharacterToken(token);
+        else if (token.type() == HTMLTokenTypes::EndTag)
+            filterEndToken(token);
     }
 
@@ -302 +291 @@
 }
 
-bool XSSAuditor::filterTokenInitial(HTMLToken& token)
-{
-    ASSERT(m_state == Initial);
-
-    if (token.type() != HTMLTokenTypes::StartTag)
-        return false;
-
+bool XSSAuditor::filterStartToken(HTMLToken& token)
+{
     bool didBlockScript = eraseDangerousAttributesIfInjected(token);
 
-    if (hasName(token, scriptTag))
+    if (hasName(token, scriptTag)) {
         didBlockScript |= filterScriptToken(token);
-    else if (hasName(token, objectTag))
+        ASSERT(m_shouldAllowCDATA || !m_scriptTagNestingLevel);
+        m_scriptTagNestingLevel++;
+    } else if (hasName(token, objectTag))
         didBlockScript |= filterObjectToken(token);
     else if (hasName(token, paramTag))
@@ -333 +319 @@
 }
 
-bool XSSAuditor::filterTokenAfterScriptStartTag(HTMLToken& token)
-{
-    ASSERT(m_state == AfterScriptStartTag);
-    m_state = Initial;
-
-    if (token.type() != HTMLTokenTypes::Character) {
-        ASSERT(token.type() == HTMLTokenTypes::EndTag || token.type() == HTMLTokenTypes::EndOfFile);
-        return false;
-    }
-
+void XSSAuditor::filterEndToken(HTMLToken& token)
+{
+    ASSERT(m_scriptTagNestingLevel);
+    if (hasName(token, scriptTag)) {
+        m_scriptTagNestingLevel--;
+        ASSERT(m_shouldAllowCDATA || !m_scriptTagNestingLevel);
+    }
+}
+
+bool XSSAuditor::filterCharacterToken(HTMLToken& token)
+{
+    ASSERT(m_scriptTagNestingLevel);
     TextResourceDecoder* decoder = m_parser->document()->decoder();
     if (isContainedInRequest(fullyDecodeString(m_cachedSnippet, decoder))) {
@@ -359 +347 @@
 bool XSSAuditor::filterScriptToken(HTMLToken& token)
 {
-    ASSERT(m_state == Initial);
     ASSERT(token.type() == HTMLTokenTypes::StartTag);
     ASSERT(hasName(token, scriptTag));
@@ -366 +353 @@
         return true;
 
-    m_state = AfterScriptStartTag;
     m_cachedSnippet = m_parser->sourceForToken(token);
+    m_shouldAllowCDATA = m_parser->tokenizer()->shouldAllowCDATA();
     return false;
 }
@@ -373 +360 @@
 bool XSSAuditor::filterObjectToken(HTMLToken& token)
 {
-    ASSERT(m_state == Initial);
     ASSERT(token.type() == HTMLTokenTypes::StartTag);
     ASSERT(hasName(token, objectTag));
@@ -388 +374 @@
 bool XSSAuditor::filterParamToken(HTMLToken& token)
 {
-    ASSERT(m_state == Initial);
     ASSERT(token.type() == HTMLTokenTypes::StartTag);
     ASSERT(hasName(token, paramTag));
@@ -407 +392 @@
 bool XSSAuditor::filterEmbedToken(HTMLToken& token)
 {
-    ASSERT(m_state == Initial);
     ASSERT(token.type() == HTMLTokenTypes::StartTag);
     ASSERT(hasName(token, embedTag));
@@ -422 +406 @@
 bool XSSAuditor::filterAppletToken(HTMLToken& token)
 {
-    ASSERT(m_state == Initial);
     ASSERT(token.type() == HTMLTokenTypes::StartTag);
     ASSERT(hasName(token, appletTag));
@@ -436 +419 @@
 bool XSSAuditor::filterIframeToken(HTMLToken& token)
 {
-    ASSERT(m_state == Initial);
     ASSERT(token.type() == HTMLTokenTypes::StartTag);
     ASSERT(hasName(token, iframeTag));
@@ -445 +427 @@
 bool XSSAuditor::filterMetaToken(HTMLToken& token)
 {
-    ASSERT(m_state == Initial);
     ASSERT(token.type() == HTMLTokenTypes::StartTag);
     ASSERT(hasName(token, metaTag));
@@ -454 +435 @@
 bool XSSAuditor::filterBaseToken(HTMLToken& token)
 {
-    ASSERT(m_state == Initial);
     ASSERT(token.type() == HTMLTokenTypes::StartTag);
     ASSERT(hasName(token, baseTag));
@@ -463 +443 @@
 bool XSSAuditor::filterFormToken(HTMLToken& token)
 {
-    ASSERT(m_state == Initial);
     ASSERT(token.type() == HTMLTokenTypes::StartTag);
     ASSERT(hasName(token, formTag));
@@ -542 +521 @@
 String XSSAuditor::decodedSnippetForAttribute(const HTMLToken& token, const HTMLToken::Attribute& attribute, AttributeKind treatment)
 {
-    const size_t kMaximumSnippetLength = 100;
-
     // The range doesn't inlcude the character which terminates the value. So,
     // for an input of |name="value"|, the snippet is |name="value|. For an
@@ -551 +528 @@
     int end = attribute.m_valueRange.m_end - token.startIndex();
     String decodedSnippet = fullyDecodeString(snippetForRange(token, start, end), m_parser->document()->decoder());
-    decodedSnippet.truncate(kMaximumSnippetLength);
+    decodedSnippet.truncate(kMaximumFragmentLengthTarget);
     if (treatment == SrcLikeAttribute) {
         int slashCount;
@@ -594 +571 @@
 String XSSAuditor::snippetForJavaScript(const String& string)
 {
-    const size_t kMaximumFragmentLengthTarget = 100;
-
     size_t startPosition = 0;
     size_t endPosition = string.length();
@@ -604 +579 @@
         while (startPosition < endPosition && isHTMLSpace(string[startPosition]))
             startPosition++;
+
+        // Under SVG/XML rules, only HTML comment syntax matters and the parser returns
+        // these as a separate comment tokens. Having consumed whitespace, we need not look
+        // further for these.
+        if (m_shouldAllowCDATA)
+            break;
+
+        // Under HTML rules, both the HTML and JS comment synatx matters, and the HTML
+        // comment ends at the end of the line, not with -->.
         if (startsHTMLCommentAt(string, startPosition) || startsSingleLineCommentAt(string, startPosition)) {
             while (startPosition < endPosition && !isJSNewline(string[startPosition]))
@@ -616 +600 @@
     }
 
-    // Stop at next comment, or at a closing script tag (which may have been included with
-    // the code fragment because of buffering in the HTMLSourceTracker), or when we exceed
-    // the maximum length target. After hitting the length target, we can only stop at a
-    // point where we know we are not in the middle of a %-escape sequence. For the sake of
-    // simplicity, approximate stopping at a close script tag by stopping at any close tag,
-    // and approximate not stopping inside a (possibly multiply encoded) %-esacpe sequence
-    // by breaking on whitespace only. We should have enough text in these cases to avoid
-    // false positives.
+    // Stop at next comment (using the same rules as above for SVG/XML vs HTML), or when
+    // we exceed the maximum length target. After hitting the length target, we can only
+    // stop at a point where we know we are not in the middle of a %-escape sequence. For
+    // the sake of simplicity, approximate not stopping inside a (possibly multiply encoded)
+    // %-esacpe sequence by breaking on whitespace only. We should have enough text in
+    // these cases to avoid false positives.
     for (foundPosition = startPosition; foundPosition < endPosition; foundPosition++) {
-        if (startsSingleLineCommentAt(string, foundPosition) || startsMultiLineCommentAt(string, foundPosition) || startsHTMLEndTagAt(string, foundPosition)) {
-            endPosition = foundPosition + 2;
-            break;
-        }
-        if (startsHTMLCommentAt(string, foundPosition)) {
-            endPosition = foundPosition + 4;
-            break;
+        if (!m_shouldAllowCDATA) {
+            if (startsSingleLineCommentAt(string, foundPosition) || startsMultiLineCommentAt(string, foundPosition)) {
+                endPosition = foundPosition + 2;
+                break;
+            }
+            if (startsHTMLCommentAt(string, foundPosition)) {
+                endPosition = foundPosition + 4;
+                break;
+            }
         }
         if (foundPosition > startPosition + kMaximumFragmentLengthTarget && isHTMLSpace(string[foundPosition])) {
@@ -638 +622 @@
         }
     }
-    
+
     return string.substring(startPosition, endPosition - startPosition);
 }

trunk/Source/WebCore/html/parser/XSSAuditor.h

@@ -43 +43 @@
 
 private:
+    static const size_t kMaximumFragmentLengthTarget = 100;
+
     enum State {
         Uninitialized,
-        Initial,
-        AfterScriptStartTag,
+        Initialized
     };
 
@@ -56 +57 @@
     void init();
 
-    bool filterTokenInitial(HTMLToken&);
-    bool filterTokenAfterScriptStartTag(HTMLToken&);
-
+    bool filterStartToken(HTMLToken&);
+    void filterEndToken(HTMLToken&);
+    bool filterCharacterToken(HTMLToken&);
     bool filterScriptToken(HTMLToken&);
     bool filterObjectToken(HTMLToken&);
@@ -89 +90 @@
     State m_state;
     String m_cachedSnippet;
+    bool m_shouldAllowCDATA;
+    unsigned m_scriptTagNestingLevel;
     bool m_notifiedClient;
 };