Changeset 195073 in webkit
- Timestamp:
- Jan 14, 2016 1:37:49 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r195071 r195073 1 2016-01-14 Daniel Bates <dabates@apple.com> 2 3 [XSS Auditor] Partial bypass when web server collapses path components 4 https://bugs.webkit.org/show_bug.cgi?id=152872 5 6 Reviewed by Brent Fulgham. 7 8 Merged from Blink (patch by Tom Sepez <tsepez@chromium.org>): 9 <https://src.chromium.org/viewvc/blink?revision=167610&view=revision> 10 11 * http/tests/security/xssAuditor/embed-tag-in-path-unterminated-expected.txt: Added. 12 * http/tests/security/xssAuditor/embed-tag-in-path-unterminated.html: Added. 13 * http/tests/security/xssAuditor/intercept/.htaccess: 14 1 15 2016-01-14 Zalan Bujtas <zalan@apple.com> 2 16 -
trunk/LayoutTests/http/tests/security/xssAuditor/intercept/.htaccess
r194978 r195073 1 # For ease in testing path reflections, pass any path component containing <'" 2 # (and subsequent characters) as the "q" query parameter to the script identified 3 # by the path components preceeding it. 1 4 RewriteEngine on 2 RewriteRule ^( .*)/(.*) /security/xssAuditor/resources/$1?q=$2 [L,NS]5 RewriteRule ^([^<"']*)/(.*) /security/xssAuditor/resources/$1?q=$2 [L,NS] -
trunk/Source/WebCore/ChangeLog
r195072 r195073 1 2016-01-14 Daniel Bates <dabates@apple.com> 2 3 [XSS Auditor] Partial bypass when web server collapses path components 4 https://bugs.webkit.org/show_bug.cgi?id=152872 5 6 Reviewed by Brent Fulgham. 7 8 Merged from Blink (patch by Tom Sepez <tsepez@chromium.org>): 9 <https://src.chromium.org/viewvc/blink?revision=167610&view=revision> 10 11 Test: http/tests/security/xssAuditor/embed-tag-in-path-unterminated.html 12 13 * html/parser/XSSAuditor.cpp: 14 (WebCore::isNonCanonicalCharacter): 15 (WebCore::XSSAuditor::init): 16 (WebCore::XSSAuditor::decodedSnippetForName): 17 (WebCore::XSSAuditor::decodedSnippetForAttribute): 18 (WebCore::XSSAuditor::decodedSnippetForJavaScript): 19 (WebCore::fullyDecodeString): Deleted. 20 1 21 2016-01-14 Beth Dakin <bdakin@apple.com> 2 22 -
trunk/Source/WebCore/html/parser/XSSAuditor.cpp
r194982 r195073 57 57 // Instead, we remove backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0"). However, this has the 58 58 // adverse effect that we remove any legitimate zeros from a string. 59 // We also remove forward-slash, because it is common for some servers to collapse successive path components, eg, 60 // a//b becomes a/b. 59 61 // 60 // For instance: new String("http://localhost:8000") => new String("http: //localhost:8").61 return (c == '\\' || c == '0' || c == '\0' || c >= 127);62 // For instance: new String("http://localhost:8000") => new String("http:localhost:8"). 63 return (c == '\\' || c == '0' || c == '\0' || c == '/' || c >= 127); 62 64 } 63 65 … … 176 178 } while (workingString.length() < oldWorkingStringLength); 177 179 workingString.replace('+', ' '); 178 workingString = canonicalize(workingString);179 180 return workingString; 180 181 } … … 269 270 m_encoding = document->decoder()->encoding(); 270 271 271 m_decodedURL = fullyDecodeString(m_documentURL.string(), m_encoding);272 m_decodedURL = canonicalize(fullyDecodeString(m_documentURL.string(), m_encoding)); 272 273 if (m_decodedURL.find(isRequiredForInjection) == notFound) 273 274 m_decodedURL = String(); … … 307 308 httpBodyAsString = httpBody->flattenToString(); 308 309 if (!httpBodyAsString.isEmpty()) { 309 m_decodedHTTPBody = fullyDecodeString(httpBodyAsString, m_encoding);310 m_decodedHTTPBody = canonicalize(fullyDecodeString(httpBodyAsString, m_encoding)); 310 311 if (m_decodedHTTPBody.find(isRequiredForInjection) == notFound) 311 312 m_decodedHTTPBody = String(); … … 568 569 { 569 570 // Grab a fixed number of characters equal to the length of the token's name plus one (to account for the "<"). 570 return fullyDecodeString(request.sourceTracker.source(request.token), m_encoding).substring(0, request.token.name().size() + 1);571 return canonicalize(fullyDecodeString(request.sourceTracker.source(request.token), m_encoding).substring(0, request.token.name().size() + 1)); 571 572 } 572 573 … … 579 580 unsigned start = attribute.startOffset; 580 581 unsigned end = attribute.endOffset; 582 583 // We defer canonicalizing the decoded string here to preserve embedded slashes (if any) that 584 // may lead us to truncate the string. 581 585 String decodedSnippet = fullyDecodeString(request.sourceTracker.source(request.token, start, end), m_encoding); 582 586 decodedSnippet.truncate(kMaximumFragmentLengthTarget); … … 627 631 } 628 632 } 629 return decodedSnippet;633 return canonicalize(decodedSnippet); 630 634 } 631 635 … … 698 702 } 699 703 700 result = fullyDecodeString(string.substring(startPosition, foundPosition - startPosition), m_encoding);704 result = canonicalize(fullyDecodeString(string.substring(startPosition, foundPosition - startPosition), m_encoding)); 701 705 startPosition = foundPosition + 1; 702 706 }
Note: See TracChangeset
for help on using the changeset viewer.