Changeset 48564 in webkit


Ignore:
Timestamp:
Sep 19, 2009 1:29:29 PM (15 years ago)
Author:
dbates@webkit.org
Message:

2009-09-19 Daniel Bates <dbates@webkit.org>

Reviewed by Adam Barth.

https://bugs.webkit.org/show_bug.cgi?id=29511


Fixes an issue where script code that contains non-ASCII characters may bypass the
XSSAuditor.


Before performing a comparison between the script source code and input parameters, we
remove all non-ASCII characters, including non-printable ASCII characters from the
script source code and input parameters.

Tests: http/tests/security/xssAuditor/img-onerror-non-ASCII-char.html

http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding.html
http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding.html
http/tests/security/xssAuditor/img-onerror-non-ASCII-char2.html

  • page/XSSAuditor.cpp: (WebCore::isNonCanonicalCharacter): Modified to remove all non-ASCII characters, including non-printable ASCII characters.

2009-09-19 Daniel Bates <dbates@webkit.org>

Reviewed by Adam Barth.

https://bugs.webkit.org/show_bug.cgi?id=29511


Tests that scripts that contain non-ASCII characters do not bypass the XSSAuditor.

  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt: Added.
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char.html: Added.
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected: Added.
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding.html: Added.
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt: Added.
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding.html: Added.
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt: Added.
  • http/tests/security/xssAuditor/img-onerror-non-ASCII-char2.html: Added.
Location:
trunk
Files:
8 added
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/LayoutTests/ChangeLog

    r48562 r48564  
     12009-09-19  Daniel Bates  <dbates@webkit.org>
     2
     3        Reviewed by Adam Barth.
     4
     5        https://bugs.webkit.org/show_bug.cgi?id=29511
     6       
     7        Tests that scripts that contain non-ASCII characters do not bypass the XSSAuditor.
     8
     9        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-expected.txt: Added.
     10        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char.html: Added.
     11        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding-expected: Added.
     12        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding.html: Added.
     13        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding-expected.txt: Added.
     14        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding.html: Added.
     15        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-expected.txt: Added.
     16        * http/tests/security/xssAuditor/img-onerror-non-ASCII-char2.html: Added.
     17
    1182009-09-19  Simon Fraser  <simon.fraser@apple.com>
    219
  • trunk/WebCore/ChangeLog

    r48562 r48564  
     12009-09-19  Daniel Bates  <dbates@webkit.org>
     2
     3        Reviewed by Adam Barth.
     4
     5        https://bugs.webkit.org/show_bug.cgi?id=29511
     6       
     7        Fixes an issue where script code that contains non-ASCII characters may bypass the
     8        XSSAuditor.
     9       
     10        Before performing a comparison between the script source code and input parameters, we
     11        remove all non-ASCII characters, including non-printable ASCII characters from the
     12        script source code and input parameters.
     13
     14        Tests: http/tests/security/xssAuditor/img-onerror-non-ASCII-char.html
     15               http/tests/security/xssAuditor/img-onerror-non-ASCII-char-default-encoding.html
     16               http/tests/security/xssAuditor/img-onerror-non-ASCII-char2-default-encoding.html
     17               http/tests/security/xssAuditor/img-onerror-non-ASCII-char2.html
     18
     19        * page/XSSAuditor.cpp:
     20        (WebCore::isNonCanonicalCharacter): Modified to remove all non-ASCII characters,
     21        including non-printable ASCII characters.
     22
    1232009-09-19  Simon Fraser  <simon.fraser@apple.com>
    224
  • trunk/WebCore/page/XSSAuditor.cpp

    r48458 r48564  
    4949static bool isNonCanonicalCharacter(UChar c)
    5050{
     51    // We remove all non-ASCII characters, including non-printable ASCII characters.
     52    //
    5153    // Note, we don't remove backslashes like PHP stripslashes(), which among other things converts "\\0" to the \0 character.
    5254    // Instead, we remove backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0"). However, this has the
     
    5456    //
    5557    // For instance: new String("http://localhost:8000") => new String("http://localhost:8").
    56     return (c == '\\' || c == '0' || c < ' ' || c == 127);
     58    return (c == '\\' || c == '0' || c < ' ' || c >= 127);
    5759}
    5860
Note: See TracChangeset for help on using the changeset viewer.