Changeset 49434 in webkit

Timestamp:

Oct 11, 2009 11:50:09 PM (15 years ago)

Author:

dbates@webkit.org

Message:

2009-10-11 Daniel Bates <​dbates@webkit.org>

Reviewed by Adam Barth.

​https://bugs.webkit.org/show_bug.cgi?id=30242

Fixes an issue where JavaScript URLs that are URL-encoded twice can
bypass the XSSAuditor.

JavaScript URLs that are completed by method Document::completeURL have added
URL-encoded characters such that a direct comparison with the URL-decoded
outgoing HTTP parameters is not sufficient. Instead, the URL-decoded outgoing
HTTP parameters must be URL-decoded before comparison.

Tests: http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode.html

http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2.html
http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3.html

• bindings/ScriptControllerBase.cpp: (WebCore::ScriptController::executeIfJavaScriptURL): Modified to pass XSSAuditor the URL-decoded source code for the JavaScript URL.
• page/XSSAuditor.cpp: (WebCore::isIllegalURICharacter): Minor syntactical change to the comment. (WebCore::XSSAuditor::CachingURLCanonicalizer::canonicalizeURL): Added parameter decodeURLEscapeSequencesTwice. (WebCore::XSSAuditor::canEvaluateJavaScriptURL): (WebCore::XSSAuditor::decodeURL): Ditto. (WebCore::XSSAuditor::findInRequest): Ditto.
• page/XSSAuditor.h: (WebCore::XSSAuditor::CachingURLCanonicalizer::CachingURLCanonicalizer): Ditto.

2009-10-11 Daniel Bates <​dbates@webkit.org>

Reviewed by Adam Barth.

​https://bugs.webkit.org/show_bug.cgi?id=30242

Tests that JavaScript URLs that are twice URL encoded do not bypass the XSSAuditor.

• http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt: Added.
• http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode.html: Added.
• http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt: Added.
• http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2.html: Added.
• http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt: Added.
• http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3.html: Added.

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode.html (added)
• LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2.html (added)
• LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3.html (added)
• WebCore/ChangeLog (modified) (1 diff)
• WebCore/bindings/ScriptControllerBase.cpp (modified) (1 diff)
• WebCore/page/XSSAuditor.cpp (modified) (7 diffs)
• WebCore/page/XSSAuditor.h (modified) (3 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2009-10-11  Daniel Bates  <dbates@webkit.org>
+
+        Reviewed by Adam Barth.
+
+        https://bugs.webkit.org/show_bug.cgi?id=30242
+        
+        Tests that JavaScript URLs that are twice URL encoded do not bypass the XSSAuditor.
+
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode-expected.txt: Added.
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode.html: Added.
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2-expected.txt: Added.
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2.html: Added.
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3-expected.txt: Added.
+        * http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3.html: Added.
+
 2009-10-11  Dan Bernstein  <mitz@apple.com>
 

trunk/WebCore/ChangeLog

@@ +1 @@
+2009-10-11  Daniel Bates  <dbates@webkit.org>
+
+        Reviewed by Adam Barth.
+
+        https://bugs.webkit.org/show_bug.cgi?id=30242
+        
+        Fixes an issue where JavaScript URLs that are URL-encoded twice can 
+        bypass the XSSAuditor.
+        
+        JavaScript URLs that are completed by method Document::completeURL have added
+        URL-encoded characters such that a direct comparison with the URL-decoded 
+        outgoing HTTP parameters is not sufficient. Instead, the URL-decoded outgoing 
+        HTTP parameters must be URL-decoded before comparison.
+
+        Tests: http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode.html
+               http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode2.html
+               http/tests/security/xssAuditor/iframe-javascript-url-twice-url-encode3.html
+
+        * bindings/ScriptControllerBase.cpp:
+        (WebCore::ScriptController::executeIfJavaScriptURL): Modified to pass XSSAuditor
+        the URL-decoded source code for the JavaScript URL.
+        * page/XSSAuditor.cpp:
+        (WebCore::isIllegalURICharacter): Minor syntactical change to the comment.
+        (WebCore::XSSAuditor::CachingURLCanonicalizer::canonicalizeURL): Added 
+        parameter decodeURLEscapeSequencesTwice.
+        (WebCore::XSSAuditor::canEvaluateJavaScriptURL):
+        (WebCore::XSSAuditor::decodeURL): Ditto.
+        (WebCore::XSSAuditor::findInRequest): Ditto.
+        * page/XSSAuditor.h:
+        (WebCore::XSSAuditor::CachingURLCanonicalizer::CachingURLCanonicalizer): Ditto.
+
 2009-10-11  Dominic Cooney  <dominicc@google.com>
 

trunk/WebCore/bindings/ScriptControllerBase.cpp

@@ -64 +64 @@
     const int javascriptSchemeLength = sizeof("javascript:") - 1;
 
-    String script = url.string().substring(javascriptSchemeLength);
+    String script = decodeURLEscapeSequences(url.string().substring(javascriptSchemeLength));
     ScriptValue result;
     if (xssAuditor()->canEvaluateJavaScriptURL(script))
-        result = executeScript(decodeURLEscapeSequences(script), userGesture);
+        result = executeScript(script, userGesture);
 
     String scriptResult;

trunk/WebCore/page/XSSAuditor.cpp

@@ -66 +66 @@
     //
     // If the request does not contain these characters then we can assume that no inline scripts have been injected 
-    // into response page, because it is impossible to write an inline script of the form <script>...</script>
+    // into the response page, because it is impossible to write an inline script of the form <script>...</script>
     // without "<", ">".
     return (c == '\'' || c == '"' || c == '<' || c == '>');
 }
 
-String XSSAuditor::CachingURLCanonicalizer::canonicalizeURL(const String& url, const TextEncoding& encoding, bool decodeEntities)
-{
-    if (decodeEntities == m_decodeEntities && encoding == m_encoding && url == m_inputURL)
+String XSSAuditor::CachingURLCanonicalizer::canonicalizeURL(const String& url, const TextEncoding& encoding, bool decodeEntities, 
+                                                            bool decodeURLEscapeSequencesTwice)
+{
+    if (decodeEntities == m_decodeEntities && decodeURLEscapeSequencesTwice == m_decodeURLEscapeSequencesTwice 
+        && encoding == m_encoding && url == m_inputURL)
         return m_cachedCanonicalizedURL;
 
-    m_cachedCanonicalizedURL = canonicalize(decodeURL(url, encoding, decodeEntities));
+    m_cachedCanonicalizedURL = canonicalize(decodeURL(url, encoding, decodeEntities, decodeURLEscapeSequencesTwice));
     m_inputURL = url;
     m_encoding = encoding;
     m_decodeEntities = decodeEntities;
+    m_decodeURLEscapeSequencesTwice = decodeURLEscapeSequencesTwice;
     return m_cachedCanonicalizedURL;
 }
@@ -116 +119 @@
         return true;
 
-    if (findInRequest(code)) {
+    if (findInRequest(code, true, false, true)) {
         DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
         m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
@@ -183 +186 @@
 }
 
-String XSSAuditor::decodeURL(const String& string, const TextEncoding& encoding, bool decodeEntities)
+String XSSAuditor::decodeURL(const String& string, const TextEncoding& encoding, bool decodeEntities, bool decodeURLEscapeSequencesTwice)
 {
     String result;
@@ -194 +197 @@
     if (!decodedResult.isEmpty())
         result = decodedResult;
+    if (decodeURLEscapeSequencesTwice) {
+        result = decodeURLEscapeSequences(result);
+        utf8Url = result.utf8();
+        decodedResult = encoding.decode(utf8Url.data(), utf8Url.length());
+        if (!decodedResult.isEmpty())
+            result = decodedResult;
+    }
     if (decodeEntities)
         result = decodeHTMLEntities(result);
@@ -236 +246 @@
 }
 
-bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters) const
+bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, 
+                               bool decodeURLEscapeSequencesTwice) const
 {
     bool result = false;
     Frame* parentFrame = m_frame->tree()->parent();
     if (parentFrame && m_frame->document()->url() == blankURL())
-        result = findInRequest(parentFrame, string, decodeEntities, allowRequestIfNoIllegalURICharacters);
+        result = findInRequest(parentFrame, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);
     if (!result)
-        result = findInRequest(m_frame, string, decodeEntities, allowRequestIfNoIllegalURICharacters);
+        result = findInRequest(m_frame, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);
     return result;
 }
 
-bool XSSAuditor::findInRequest(Frame* frame, const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters) const
+bool XSSAuditor::findInRequest(Frame* frame, const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, 
+                               bool decodeURLEscapeSequencesTwice) const
 {
     ASSERT(frame->document());
@@ -286 +298 @@
     if (string.length() < pageURL.length()) {
         // The string can actually fit inside the pageURL.
-        String decodedPageURL = m_cache.canonicalizeURL(pageURL, frame->document()->decoder()->encoding(), decodeEntities);
+        String decodedPageURL = m_cache.canonicalizeURL(pageURL, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice);
 
         if (allowRequestIfNoIllegalURICharacters && (!formDataObj || formDataObj->isEmpty()) 
@@ -303 +315 @@
             // code is less than or equal to the length of the url-encoded
             // string.
-            String decodedFormData = m_cache.canonicalizeURL(formData, frame->document()->decoder()->encoding(), decodeEntities);
+            String decodedFormData = m_cache.canonicalizeURL(formData, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice);
             if (decodedFormData.find(canonicalizedString, 0, false) != -1)
                 return true;  // We found the string in the POST data.

trunk/WebCore/page/XSSAuditor.h

@@ -103 +103 @@
         {
         public:
-            CachingURLCanonicalizer() : m_decodeEntities(false) { }
-            String canonicalizeURL(const String& url, const TextEncoding& encoding, bool decodeEntities);
+            CachingURLCanonicalizer() : m_decodeEntities(false), m_decodeURLEscapeSequencesTwice(false) { }
+            String canonicalizeURL(const String& url, const TextEncoding& encoding, bool decodeEntities, 
+                                   bool decodeURLEscapeSequencesTwice);
 
         private:
@@ -111 +112 @@
             TextEncoding m_encoding;
             bool m_decodeEntities;
+            bool m_decodeURLEscapeSequencesTwice;
 
             // The cached result.
@@ -117 +119 @@
 
         static String canonicalize(const String&);
-        static String decodeURL(const String& url, const TextEncoding& encoding, bool decodeEntities);
+        static String decodeURL(const String& url, const TextEncoding& encoding, bool decodeEntities, 
+                                bool decodeURLEscapeSequencesTwice = false);
         static String decodeHTMLEntities(const String&, bool leaveUndecodableEntitiesUntouched = true);
 
-        bool findInRequest(const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false) const;
-        bool findInRequest(Frame*, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false) const;
+        bool findInRequest(const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, 
+                           bool decodeURLEscapeSequencesTwice = false) const;
+        bool findInRequest(Frame*, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, 
+                           bool decodeURLEscapeSequencesTwice = false) const;
 
         // The frame to audit.