Changeset 207848 in webkit
- Timestamp:
- Oct 25, 2016 3:07:20 PM (7 years ago)
- Location:
- trunk
- Files:
-
- 7 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r207845 r207848 1 2016-10-25 Daniel Bates <dabates@apple.com> 2 3 REGRESSION (r178265): XSS Auditor fails to block document.write() of incomplete tag 4 https://bugs.webkit.org/show_bug.cgi?id=163978 5 <rdar://problem/25962131> 6 7 Reviewed by Darin Adler. 8 9 Add tests to ensure that the XSS Auditor blocks a document.write() of an incomplete HTML image tag. 10 11 * http/tests/security/xssAuditor/dom-write-location-dom-write-open-img-onerror-expected.txt: Added. 12 * http/tests/security/xssAuditor/dom-write-location-dom-write-open-img-onerror.html: Added. 13 * http/tests/security/xssAuditor/dom-write-location-open-img-onerror-expected.txt: Added. 14 * http/tests/security/xssAuditor/dom-write-location-open-img-onerror.html: Added. 15 * http/tests/security/xssAuditor/nested-dom-write-location-open-img-onerror-expected.txt: Added. 16 * http/tests/security/xssAuditor/nested-dom-write-location-open-img-onerror.html: Added. 17 * http/tests/security/xssAuditor/resources/echo-nested-dom-write-location.html: Added. 18 1 19 2016-10-25 Brady Eidson <beidson@apple.com> 2 20 -
trunk/Source/WebCore/ChangeLog
r207847 r207848 1 2016-10-25 Daniel Bates <dabates@apple.com> 2 3 REGRESSION (r178265): XSS Auditor fails to block document.write() of incomplete tag 4 https://bugs.webkit.org/show_bug.cgi?id=163978 5 <rdar://problem/25962131> 6 7 Reviewed by Darin Adler. 8 9 During the tokenization process of an HTML tag the start and end positions of each of its 10 attributes is tracked so that the XSS Auditor can request a snippet around a suspected 11 injected attribute. We need to take care to consider document.write() boundaries when 12 tracking the start and end positions of each HTML tag and attribute so that the XSS Auditor 13 receives the correct snippet. Following r178265 we no longer consider document.write() 14 boundaries when tracking the start and end positions of attributes. So, the substring 15 represented by the start and end positions of an attribute may correspond to some other 16 attribute in the tag. Therefore the XSS Auditor may fail to block an injection because the 17 snippet it requested may not be the snippet that it intended to request. 18 19 Tests: http/tests/security/xssAuditor/dom-write-location-dom-write-open-img-onerror.html 20 http/tests/security/xssAuditor/dom-write-location-open-img-onerror.html 21 http/tests/security/xssAuditor/nested-dom-write-location-open-img-onerror.html 22 23 * html/parser/HTMLSourceTracker.cpp: 24 (WebCore::HTMLSourceTracker::startToken): Set the attribute base offset to be the token 25 start position. 26 (WebCore::HTMLSourceTracker::source): Use the specified attribute start position as-is. We no 27 longer adjust it here because it was adjusted with respect to the attribute base offset, which 28 takes into account document.write() boundaries. 29 * html/parser/HTMLToken.h: 30 (WebCore::HTMLToken::setAttributeBaseOffset): Added. 31 (WebCore::HTMLToken::beginAttribute): Subtract attribute base offset from the specified offset. 32 (WebCore::HTMLToken::endAttribute): Ditto. 33 * html/parser/HTMLTokenizer.h: 34 (WebCore::HTMLTokenizer::setTokenAttributeBaseOffset): Added. 35 1 36 2016-10-25 Chris Dumez <cdumez@apple.com> 2 37 -
trunk/Source/WebCore/html/parser/HTMLSourceTracker.cpp
r178265 r207848 50 50 m_currentSource = currentInput; 51 51 m_tokenStart = m_currentSource.numberOfCharactersConsumed() - m_previousSource.length(); 52 tokenizer.setTokenAttributeBaseOffset(m_tokenStart); 52 53 } 53 54 … … 93 94 String HTMLSourceTracker::source(const HTMLToken& token, unsigned attributeStart, unsigned attributeEnd) 94 95 { 95 return source(token).substring(attributeStart - m_tokenStart, attributeEnd - attributeStart);96 return source(token).substring(attributeStart, attributeEnd - attributeStart); 96 97 } 97 98 -
trunk/Source/WebCore/html/parser/HTMLToken.h
r199735 r207848 115 115 void setSelfClosing(); 116 116 117 // Used by HTMLTokenizer on behalf of HTMLSourceTracker. 118 void setAttributeBaseOffset(unsigned attributeBaseOffset) { m_attributeBaseOffset = attributeBaseOffset; } 119 117 120 public: 118 121 // Used by the XSSAuditor to nuke XSS-laden attributes. … … 154 157 // For DOCTYPE 155 158 std::unique_ptr<DoctypeData> m_doctypeData; 159 160 unsigned m_attributeBaseOffset { 0 }; // Changes across document.write() boundaries. 156 161 }; 157 162 … … 316 321 m_currentAttribute = &m_attributes.last(); 317 322 318 m_currentAttribute->startOffset = offset ;323 m_currentAttribute->startOffset = offset - m_attributeBaseOffset; 319 324 } 320 325 … … 323 328 ASSERT(offset); 324 329 ASSERT(m_currentAttribute); 325 m_currentAttribute->endOffset = offset ;330 m_currentAttribute->endOffset = offset - m_attributeBaseOffset; 326 331 #if !ASSERT_DISABLED 327 332 m_currentAttribute = nullptr; -
trunk/Source/WebCore/html/parser/HTMLTokenizer.h
r178265 r207848 43 43 class TokenPtr; 44 44 TokenPtr nextToken(SegmentedString&); 45 46 // Used by HTMLSourceTracker. 47 void setTokenAttributeBaseOffset(unsigned); 45 48 46 49 // Returns a copy of any characters buffered internally by the tokenizer. … … 283 286 } 284 287 288 inline void HTMLTokenizer::setTokenAttributeBaseOffset(unsigned offset) 289 { 290 m_token.setAttributeBaseOffset(offset); 291 } 292 285 293 inline size_t HTMLTokenizer::numberOfBufferedCharacters() const 286 294 {
Note: See TracChangeset
for help on using the changeset viewer.