Changeset 206276 in webkit
- Timestamp:
- Sep 22, 2016 2:33:20 PM (8 years ago)
- Location:
- trunk
- Files:
-
- 2 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r206264 r206276 1 2016-09-22 Daniel Bates <dabates@apple.com> 2 3 [XSS Auditor] Truncate data URLs at quotes 4 https://bugs.webkit.org/show_bug.cgi?id=161937 5 6 Reviewed by David Kilzer. 7 8 * http/tests/security/xssAuditor/resources/echo-property.pl: 9 * http/tests/security/xssAuditor/script-tag-with-source-data-url4-expected.txt: Added. 10 * http/tests/security/xssAuditor/script-tag-with-source-data-url4.html: Added. 11 1 12 2016-09-22 Ryan Haddad <ryanhaddad@apple.com> 2 13 -
trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl
r95065 r206276 15 15 } 16 16 print "\">\n"; 17 print "<script>var y = 123;</script>"; 17 18 print "</body>\n"; 18 19 print "</html>\n"; -
trunk/Source/WebCore/ChangeLog
r206275 r206276 1 2016-09-22 Daniel Bates <dabates@apple.com> 2 3 [XSS Auditor] Truncate data URLs at quotes 4 https://bugs.webkit.org/show_bug.cgi?id=161937 5 6 Reviewed by David Kilzer. 7 8 Merged from Blink: 9 <https://chromium.googlesource.com/chromium/src/+/c6d6331190dd43f09459e2341c3111e796f9de12/> 10 11 Truncate a data URL at the first single or double quote character to avoid considering 12 characters that may come from the page content following an injected data URL. 13 14 Test: http/tests/security/xssAuditor/script-tag-with-source-data-url4.html 15 16 * html/parser/XSSAuditor.cpp: 17 (WebCore::truncateForSrcLikeAttribute): 18 1 19 2016-09-22 Daniel Bates <dabates@apple.com> 2 20 -
trunk/Source/WebCore/html/parser/XSSAuditor.cpp
r199525 r206276 179 179 // In HTTP URLs, characters following the first ?, #, or third slash may come from 180 180 // the page itself and can be merely ignored by an attacker's server when a remote 181 // script or script-like resource is requested. In DATA URLS, the payload starts at 182 // the first comma, and the the first /*, //, or <!-- may introduce a comment. Characters 183 // following this may come from the page itself and may be ignored when the script is 184 // executed. For simplicity, we don't differentiate based on URL scheme, and stop at 185 // the first # or ?, the third slash, or the first slash or < once a comma is seen. 181 // script or script-like resource is requested. In data URLs, the payload starts at 182 // the first comma, and the first /*, //, or <!-- may introduce a comment. Also 183 // data URLs may use the same string literal tricks as with script content itself. 184 // In either case, content following this may come from the page and may be ignored 185 // when the script is executed. 186 // For simplicity, we don't differentiate based on URL scheme, and stop at 187 // the first # or ?, the third slash, or the first slash, <, ', or " once a comma 188 // is seen. 186 189 int slashCount = 0; 187 190 bool commaSeen = false; … … 191 194 || currentChar == '#' 192 195 || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2)) 193 || (currentChar == '<' && commaSeen)) { 196 || (currentChar == '<' && commaSeen) 197 || (currentChar == '\'' && commaSeen) 198 || (currentChar == '"' && commaSeen)) { 194 199 decodedSnippet.truncate(currentLength); 195 200 return;
Note: See TracChangeset
for help on using the changeset viewer.