Changeset 48680 in webkit
- Timestamp:
- Sep 23, 2009 11:19:02 AM (15 years ago)
- Location:
- trunk
- Files:
-
- 4 added
- 5 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r48679 r48680 1 2009-09-23 Daniel Bates <dbates@webkit.org> 2 3 Reviewed by Adam Barth. 4 5 https://bugs.webkit.org/show_bug.cgi?id=29523 6 7 Tests that JavaScript URLs that were URL-encoded twice do not bypass the XSSAuditor. 8 9 * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt: Added. 10 * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html: Added. 11 * http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt: Added. 12 * http/tests/security/xssAuditor/javascript-link-url-encoded.html: Added. 13 1 14 2009-09-23 Dave Hyatt <hyatt@apple.com> 2 15 -
trunk/WebCore/ChangeLog
r48679 r48680 1 2009-09-23 Daniel Bates <dbates@webkit.org> 2 3 Reviewed by Adam Barth. 4 5 https://bugs.webkit.org/show_bug.cgi?id=29523 6 7 Fixes an issue where a JavaScript URL that was URL-encoded twice can bypass the 8 XSSAuditor. 9 10 The method FrameLoader::executeIfJavaScriptURL decodes the URL escape 11 sequences in a JavaScript URL before it is eventually passed to the XSSAuditor. 12 Because the XSSAuditor also decodes the URL escape sequences as part of its 13 canonicalization, the double decoding of a JavaScript URL would 14 not match the canonicalization of the input parameters. 15 16 Tests: http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html 17 http/tests/security/xssAuditor/javascript-link-url-encoded.html 18 19 * bindings/js/ScriptController.cpp: 20 (WebCore::ScriptController::evaluate): Moved call to 21 XSSAuditor::canEvaluateJavaScriptURL into FrameLoader::executeIfJavaScriptURL. 22 * bindings/v8/ScriptController.cpp: 23 (WebCore::ScriptController::evaluate): Ditto. 24 * loader/FrameLoader.cpp: 25 (WebCore::FrameLoader::executeIfJavaScriptURL): Modified to call 26 XSSAuditor::canEvaluateJavaScriptURL on the JavaScript URL before it is 27 decoded. 28 1 29 2009-09-22 Dave Hyatt <hyatt@apple.com> 2 30 -
trunk/WebCore/bindings/js/ScriptController.cpp
r48057 r48680 86 86 String sourceURL = jsSourceCode.provider()->url(); 87 87 88 if (sourceURL.isNull() && !m_XSSAuditor->canEvaluateJavaScriptURL(sourceCode.source())) { 89 // This JavaScript URL is not safe to be evaluated. 90 return JSValue(); 91 } 92 93 if (!sourceURL.isNull() && !m_XSSAuditor->canEvaluate(sourceCode.source())) { 88 if (!m_XSSAuditor->canEvaluate(sourceCode.source())) { 94 89 // This script is not safe to be evaluated. 95 90 return JSValue(); -
trunk/WebCore/bindings/v8/ScriptController.cpp
r48057 r48680 201 201 String sourceURL = sourceCode.url(); 202 202 203 if (sourceURL.isNull() && !m_XSSAuditor->canEvaluateJavaScriptURL(sourceCode.source())) { 204 // This JavaScript URL is not safe to be evaluated. 205 return ScriptValue(); 206 } 207 208 if (!sourceURL.isNull() && !m_XSSAuditor->canEvaluate(sourceCode.source())) { 203 if (!m_XSSAuditor->canEvaluate(sourceCode.source())) { 209 204 // This script is not safe to be evaluated. 210 205 return ScriptValue(); -
trunk/WebCore/loader/FrameLoader.cpp
r48661 r48680 747 747 const int javascriptSchemeLength = sizeof("javascript:") - 1; 748 748 749 String script = decodeURLEscapeSequences(url.string().substring(javascriptSchemeLength)); 750 ScriptValue result = executeScript(script, userGesture); 749 String script = url.string().substring(javascriptSchemeLength); 750 ScriptValue result; 751 if (m_frame->script()->xssAuditor()->canEvaluateJavaScriptURL(script)) 752 result = executeScript(decodeURLEscapeSequences(script), userGesture); 751 753 752 754 String scriptResult;
Note: See TracChangeset
for help on using the changeset viewer.