Changeset 48680 in webkit

Timestamp:

Sep 23, 2009 11:19:02 AM (15 years ago)

Author:

dbates@webkit.org

Message:

2009-09-23 Daniel Bates <​dbates@webkit.org>

Reviewed by Adam Barth.

​https://bugs.webkit.org/show_bug.cgi?id=29523

Fixes an issue where a JavaScript URL that was URL-encoded twice can bypass the
XSSAuditor.

The method FrameLoader::executeIfJavaScriptURL decodes the URL escape
sequences in a JavaScript URL before it is eventually passed to the XSSAuditor.
Because the XSSAuditor also decodes the URL escape sequences as part of its
canonicalization, the double decoding of a JavaScript URL would
not match the canonicalization of the input parameters.

Tests: http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html

http/tests/security/xssAuditor/javascript-link-url-encoded.html

• bindings/js/ScriptController.cpp: (WebCore::ScriptController::evaluate): Moved call to XSSAuditor::canEvaluateJavaScriptURL into FrameLoader::executeIfJavaScriptURL.
• bindings/v8/ScriptController.cpp: (WebCore::ScriptController::evaluate): Ditto.
• loader/FrameLoader.cpp: (WebCore::FrameLoader::executeIfJavaScriptURL): Modified to call XSSAuditor::canEvaluateJavaScriptURL on the JavaScript URL before it is decoded.

2009-09-23 Daniel Bates <​dbates@webkit.org>

Reviewed by Adam Barth.

​https://bugs.webkit.org/show_bug.cgi?id=29523

Tests that JavaScript URLs that were URL-encoded twice do not bypass the XSSAuditor.

• http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt: Added.
• http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html: Added.
• http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt: Added.
• http/tests/security/xssAuditor/javascript-link-url-encoded.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html (added)
• LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/js/ScriptController.cpp (modified) (1 diff)
• WebCore/bindings/v8/ScriptController.cpp (modified) (1 diff)
• WebCore/loader/FrameLoader.cpp (modified) (1 diff)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2009-09-23  Daniel Bates  <dbates@webkit.org>
+
+        Reviewed by Adam Barth.
+
+        https://bugs.webkit.org/show_bug.cgi?id=29523
+        
+        Tests that JavaScript URLs that were URL-encoded twice do not bypass the XSSAuditor.
+
+        * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt: Added.
+        * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html: Added.
+        * http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt: Added.
+        * http/tests/security/xssAuditor/javascript-link-url-encoded.html: Added.
+
 2009-09-23  Dave Hyatt  <hyatt@apple.com>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-09-23  Daniel Bates  <dbates@webkit.org>
+
+        Reviewed by Adam Barth.
+
+        https://bugs.webkit.org/show_bug.cgi?id=29523
+        
+        Fixes an issue where a JavaScript URL that was URL-encoded twice can bypass the
+        XSSAuditor.
+        
+        The method FrameLoader::executeIfJavaScriptURL decodes the URL escape 
+        sequences in a JavaScript URL before it is eventually passed to the XSSAuditor.
+        Because the XSSAuditor also decodes the URL escape sequences as part of its
+        canonicalization, the double decoding of a JavaScript URL would
+        not match the canonicalization of the input parameters.
+
+        Tests: http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html
+               http/tests/security/xssAuditor/javascript-link-url-encoded.html
+
+        * bindings/js/ScriptController.cpp:
+        (WebCore::ScriptController::evaluate): Moved call to 
+        XSSAuditor::canEvaluateJavaScriptURL into FrameLoader::executeIfJavaScriptURL.
+        * bindings/v8/ScriptController.cpp:
+        (WebCore::ScriptController::evaluate): Ditto.
+        * loader/FrameLoader.cpp:
+        (WebCore::FrameLoader::executeIfJavaScriptURL): Modified to call 
+        XSSAuditor::canEvaluateJavaScriptURL on the JavaScript URL before it is
+        decoded.
+
 2009-09-22  Dave Hyatt  <hyatt@apple.com>
 

trunk/WebCore/bindings/js/ScriptController.cpp

@@ -86 +86 @@
     String sourceURL = jsSourceCode.provider()->url();
     
-    if (sourceURL.isNull() && !m_XSSAuditor->canEvaluateJavaScriptURL(sourceCode.source())) {
-        // This JavaScript URL is not safe to be evaluated.
-        return JSValue();
-    }
-    
-    if (!sourceURL.isNull() && !m_XSSAuditor->canEvaluate(sourceCode.source())) {
+    if (!m_XSSAuditor->canEvaluate(sourceCode.source())) {
         // This script is not safe to be evaluated.
         return JSValue();

trunk/WebCore/bindings/v8/ScriptController.cpp

@@ -201 +201 @@
     String sourceURL = sourceCode.url();
     
-    if (sourceURL.isNull() && !m_XSSAuditor->canEvaluateJavaScriptURL(sourceCode.source())) {
-        // This JavaScript URL is not safe to be evaluated.
-        return ScriptValue();
-    }
-    
-    if (!sourceURL.isNull() && !m_XSSAuditor->canEvaluate(sourceCode.source())) {
+    if (!m_XSSAuditor->canEvaluate(sourceCode.source())) {
         // This script is not safe to be evaluated.
         return ScriptValue();

trunk/WebCore/loader/FrameLoader.cpp

@@ -747 +747 @@
     const int javascriptSchemeLength = sizeof("javascript:") - 1;
 
-    String script = decodeURLEscapeSequences(url.string().substring(javascriptSchemeLength));
-    ScriptValue result = executeScript(script, userGesture);
+    String script = url.string().substring(javascriptSchemeLength);
+    ScriptValue result;
+    if (m_frame->script()->xssAuditor()->canEvaluateJavaScriptURL(script))
+        result = executeScript(decodeURLEscapeSequences(script), userGesture);
 
     String scriptResult;