Changeset 46250 in webkit
- Timestamp:
- Jul 22, 2009 4:27:19 PM (15 years ago)
- Location:
- trunk
- Files:
-
- 9 added
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r46240 r46250 1 2009-07-22 Daniel Bates <dbates@intudata.com> 2 3 Reviewed by Adam Barth. 4 5 https://bugs.webkit.org/show_bug.cgi?id=27174 6 And 7 https://bugs.webkit.org/show_bug.cgi?id=26938 8 9 Tests prevention of attacks transformed by PHP Magic Quotes/PHP addslashes(). 10 11 * http/tests/security/xssAuditor/resources/echo-intertag-addslashes.pl: Added. 12 * http/tests/security/xssAuditor/script-tag-addslashes-backslash-expected.txt: Added. 13 * http/tests/security/xssAuditor/script-tag-addslashes-backslash.html: Added. 14 * http/tests/security/xssAuditor/script-tag-addslashes-double-quote-expected.txt: Added. 15 * http/tests/security/xssAuditor/script-tag-addslashes-double-quote.html: Added. 16 * http/tests/security/xssAuditor/script-tag-addslashes-null-char-expected.txt: Added. 17 * http/tests/security/xssAuditor/script-tag-addslashes-null-char.html: Added. 18 * http/tests/security/xssAuditor/script-tag-addslashes-single-quote-expected.txt: Added. 19 * http/tests/security/xssAuditor/script-tag-addslashes-single-quote.html: Added. 20 1 21 2009-07-22 David Hyatt <hyatt@apple.com> 2 22 -
trunk/WebCore/ChangeLog
r46246 r46250 1 2009-07-22 Daniel Bates <dbates@intudata.com> 2 3 Reviewed by Adam Barth. 4 5 https://bugs.webkit.org/show_bug.cgi?id=27174 6 And 7 https://bugs.webkit.org/show_bug.cgi?id=26938 8 9 Code cleanup. Implements support for detecting attacks transformed by 10 PHP Magic Quotes/PHP addslashes(). 11 12 Tests: http/tests/security/xssAuditor/script-tag-addslashes-backslash.html 13 http/tests/security/xssAuditor/script-tag-addslashes-double-quote.html 14 http/tests/security/xssAuditor/script-tag-addslashes-null-char.html 15 http/tests/security/xssAuditor/script-tag-addslashes-single-quote.html 16 17 * page/XSSAuditor.cpp: 18 (WebCore::isInvalidCharacter): 19 (WebCore::XSSAuditor::canEvaluate): 20 (WebCore::XSSAuditor::canEvaluateJavaScriptURL): 21 (WebCore::XSSAuditor::canLoadObject): 22 (WebCore::XSSAuditor::normalize): Decodes HTML entities, removes backslashes, 23 and removes control characters that could otherwise cause a discrepancy between 24 the source code of a script and the outgoing HTTP parameters. 25 (WebCore::XSSAuditor::decodeURL): 26 (WebCore::XSSAuditor::decodeHTMLEntities): 27 (WebCore::XSSAuditor::findInRequest): 28 * page/XSSAuditor.h: 29 1 30 2009-07-22 Oliver Hunt <oliver@apple.com> 2 31 -
trunk/WebCore/page/XSSAuditor.cpp
r46086 r46250 47 47 namespace WebCore { 48 48 49 static bool isNon NullControlCharacter(UChar c)50 { 51 return (c > '\0' && c < ' ') || c == 127;49 static bool isNonCanonicalCharacter(UChar c) 50 { 51 return (c == '\\' || c == '0' || c < ' ' || c == 127); 52 52 } 53 53 … … 67 67 } 68 68 69 bool XSSAuditor::canEvaluate(const String& sourceCode) const70 { 71 if (!isEnabled()) 72 return true; 73 74 if (findInRequest( sourceCode, false, true, false)) {69 bool XSSAuditor::canEvaluate(const String& code) const 70 { 71 if (!isEnabled()) 72 return true; 73 74 if (findInRequest(code, false)) { 75 75 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n")); 76 76 m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); … … 85 85 return true; 86 86 87 if (findInRequest(code , false, false, true, true)) {87 if (findInRequest(code)) { 88 88 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n")); 89 89 m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); … … 124 124 return true; 125 125 126 if (findInRequest(url , false, false)) {126 if (findInRequest(url)) { 127 127 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request")); 128 128 m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); … … 146 146 } 147 147 148 String XSSAuditor::decodeURL(const String& str, const TextEncoding& encoding, bool allowNullCharacters, 149 bool allowNonNullControlCharacters, bool decodeHTMLentities, bool leaveUndecodableHTMLEntitiesUntouched) 148 String XSSAuditor::canonicalize(const String& string) 149 { 150 String result = decodeHTMLEntities(string); 151 return result.removeCharacters(&isNonCanonicalCharacter); 152 } 153 154 String XSSAuditor::decodeURL(const String& string, const TextEncoding& encoding, bool decodeHTMLentities) 150 155 { 151 156 String result; 152 String url = str ;157 String url = string; 153 158 154 159 url.replace('+', ' '); … … 158 163 result = decodedResult; 159 164 if (decodeHTMLentities) 160 result = decodeHTMLEntities(result, leaveUndecodableHTMLEntitiesUntouched); 161 if (!allowNullCharacters) 162 result = StringImpl::createStrippingNullCharacters(result.characters(), result.length()); 163 if (!allowNonNullControlCharacters) { 164 decodedResult = result.removeCharacters(&isNonNullControlCharacter); 165 if (!decodedResult.isEmpty()) 166 result = decodedResult; 167 } 165 result = decodeHTMLEntities(result); 168 166 return result; 169 167 } 170 168 171 String XSSAuditor::decodeHTMLEntities(const String& str , bool leaveUndecodableHTMLEntitiesUntouched)172 { 173 SegmentedString source(str );169 String XSSAuditor::decodeHTMLEntities(const String& string, bool leaveUndecodableHTMLEntitiesUntouched) 170 { 171 SegmentedString source(string); 174 172 SegmentedString sourceShadow; 175 173 Vector<UChar> result; … … 206 204 } 207 205 208 bool XSSAuditor::findInRequest(const String& string, bool matchNullCharacters, bool matchNonNullControlCharacters, 209 bool decodeHTMLentities, bool leaveUndecodableHTMLEntitiesUntouched) const 206 bool XSSAuditor::findInRequest(const String& string, bool decodeHTMLentities) const 210 207 { 211 208 bool result = false; 212 209 Frame* parentFrame = m_frame->tree()->parent(); 213 210 if (parentFrame && m_frame->document()->url() == blankURL()) 214 result = findInRequest(parentFrame, string, matchNullCharacters, matchNonNullControlCharacters, 215 decodeHTMLentities, leaveUndecodableHTMLEntitiesUntouched); 211 result = findInRequest(parentFrame, string, decodeHTMLentities); 216 212 if (!result) 217 result = findInRequest(m_frame, string, matchNullCharacters, matchNonNullControlCharacters, 218 decodeHTMLentities, leaveUndecodableHTMLEntitiesUntouched); 213 result = findInRequest(m_frame, string, decodeHTMLentities); 219 214 return result; 220 215 } 221 216 222 bool XSSAuditor::findInRequest(Frame* frame, const String& string, bool matchNullCharacters, bool matchNonNullControlCharacters, 223 bool decodeHTMLentities, bool leaveUndecodableHTMLEntitiesUntouched) const 217 bool XSSAuditor::findInRequest(Frame* frame, const String& string, bool decodeHTMLentities) const 224 218 { 225 219 ASSERT(frame->document()); … … 237 231 return false; 238 232 233 String canonicalizedString = canonicalize(string); 239 234 if (string.length() < pageURL.length()) { 240 235 // The string can actually fit inside the pageURL. 241 String decodedPageURL = decodeURL(pageURL, frame->document()->decoder()->encoding(), matchNullCharacters, 242 matchNonNullControlCharacters, decodeHTMLentities, leaveUndecodableHTMLEntitiesUntouched); 243 if (decodedPageURL.find(string, 0, false) != -1) 236 String decodedPageURL = canonicalize(decodeURL(pageURL, frame->document()->decoder()->encoding(), decodeHTMLentities)); 237 if (decodedPageURL.find(canonicalizedString, 0, false) != -1) 244 238 return true; // We've found the smoking gun. 245 239 } … … 253 247 // code is less than or equal to the length of the url-encoded 254 248 // string. 255 String decodedFormData = decodeURL(formData, frame->document()->decoder()->encoding(), matchNullCharacters, 256 matchNonNullControlCharacters, decodeHTMLentities, leaveUndecodableHTMLEntitiesUntouched); 257 if (decodedFormData.find(string, 0, false) != -1) 249 String decodedFormData = canonicalize(decodeURL(formData, frame->document()->decoder()->encoding(), decodeHTMLentities)); 250 if (decodedFormData.find(canonicalizedString, 0, false) != -1) 258 251 return true; // We found the string in the POST data. 259 252 } -
trunk/WebCore/page/XSSAuditor.h
r45787 r46250 73 73 // Determines whether the script should be allowed or denied execution 74 74 // based on the content of any user-submitted data. 75 bool canEvaluate(const String& sourceCode) const;75 bool canEvaluate(const String& code) const; 76 76 77 77 // Determines whether the JavaScript URL should be allowed or denied execution … … 100 100 101 101 private: 102 static String decodeURL(const String& url, const TextEncoding& encoding = UTF8Encoding(), bool allowNullCharacters = false, 103 bool allowNonNullControlCharacters = true, bool decodeHTMLentities = true, 104 bool leaveUndecodableHTMLEntitiesUntouched = false); 102 static String canonicalize(const String&); 105 103 106 static String decodeHTMLEntities(const String&, bool leaveUndecodableHTMLEntitiesUntouched = false); 104 static String decodeURL(const String& url, const TextEncoding& encoding = UTF8Encoding(), bool decodeHTMLentities = true); 105 106 static String decodeHTMLEntities(const String&, bool leaveUndecodableHTMLEntitiesUntouched = true); 107 107 108 bool findInRequest(const String&, bool matchNullCharacters = true, bool matchNonNullControlCharacters = true, 109 bool decodeHTMLentities = true, bool leaveUndecodableHTMLEntitiesUntouched = false) const; 108 bool findInRequest(const String&, bool decodeHTMLentities = true) const; 110 109 111 bool findInRequest(Frame*, const String&, bool matchNullCharacters = true, bool matchNonNullControlCharacters = true, 112 bool decodeHTMLentities = true, bool leaveUndecodableHTMLEntitiesUntouched = false) const; 110 bool findInRequest(Frame*, const String&, bool decodeHTMLentities = true) const; 113 111 114 112 // The frame to audit.
Note: See TracChangeset
for help on using the changeset viewer.