Changeset 48458 in webkit


Ignore:
Timestamp:
Sep 16, 2009 11:45:17 PM (15 years ago)
Author:
abarth@webkit.org
Message:

2009-09-16 Daniel Bates <dbates@webkit.org>

Reviewed by Darin Adler.

https://bugs.webkit.org/show_bug.cgi?id=29306

Tests that scripts with accented characters do not bypass the XSSAuditor.

  • http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt: Added.
  • http/tests/security/xssAuditor/img-onerror-accented-char.html: Added.

2009-09-16 Daniel Bates <dbates@webkit.org>

Reviewed by Darin Adler.

https://bugs.webkit.org/show_bug.cgi?id=29306

Fixes an issue where an attack that contains accented characters can
bypass the XSSAuditor.

XSSAuditor::decodeURL used the wrong length for the input string.
When the input string was decoded, the decoded result was truncated.
Hence, XSSAuditor was comparing the source code of the script to the
truncated input parameters.

Test: http/tests/security/xssAuditor/img-onerror-accented-char.html

  • page/XSSAuditor.cpp: (WebCore::XSSAuditor::decodeURL):
Location:
trunk
Files:
2 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r48457 r48458  
     12009-09-16  Daniel Bates  <dbates@webkit.org>
     2
     3        Reviewed by Darin Adler.
     4
     5        https://bugs.webkit.org/show_bug.cgi?id=29306
     6       
     7        Tests that scripts with accented characters do not bypass the XSSAuditor.
     8
     9        * http/tests/security/xssAuditor/img-onerror-accented-char-expected.txt: Added.
     10        * http/tests/security/xssAuditor/img-onerror-accented-char.html: Added.
     11
    1122009-09-16  Adam Barth  <abarth@webkit.org>
    213
  • trunk/WebCore/ChangeLog

    r48456 r48458  
     12009-09-16  Daniel Bates  <dbates@webkit.org>
     2
     3        Reviewed by Darin Adler.
     4
     5        https://bugs.webkit.org/show_bug.cgi?id=29306
     6       
     7        Fixes an issue where an attack that contains accented characters can
     8        bypass the XSSAuditor.
     9       
     10        XSSAuditor::decodeURL used the wrong length for the input string.
     11        When the input string was decoded, the decoded result was truncated.
     12        Hence, XSSAuditor was comparing the source code of the script to the
     13        truncated input parameters.
     14
     15        Test: http/tests/security/xssAuditor/img-onerror-accented-char.html
     16
     17        * page/XSSAuditor.cpp:
     18        (WebCore::XSSAuditor::decodeURL):
     19
    1202009-09-16  Brady Eidson  <beidson@apple.com>
    221
  • trunk/WebCore/page/XSSAuditor.cpp

    r47858 r48458  
    176176    url.replace('+', ' ');
    177177    result = decodeURLEscapeSequences(url);
    178     String decodedResult = encoding.decode(result.utf8().data(), result.length());
     178    CString utf8Url = result.utf8();
     179    String decodedResult = encoding.decode(utf8Url.data(), utf8Url.length());
    179180    if (!decodedResult.isEmpty())
    180181        result = decodedResult;
Note: See TracChangeset for help on using the changeset viewer.