Changeset 49668 in webkit
- Timestamp:
- Oct 15, 2009 6:27:33 PM (15 years ago)
- Location:
- trunk
- Files:
-
- 18 deleted
- 4 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r49667 r49668 1 2009-10-15 Daniel Bates <dbates@webkit.org> 2 3 No review, rolling out r49644. 4 http://trac.webkit.org/changeset/49644 5 6 * http/tests/security/xssAuditor/base-href-comment-expected.txt: Removed. 7 * http/tests/security/xssAuditor/base-href-comment.html: Removed. 8 * http/tests/security/xssAuditor/iframe-javascript-url-comment-expected.txt: Removed. 9 * http/tests/security/xssAuditor/iframe-javascript-url-comment.html: Removed. 10 * http/tests/security/xssAuditor/img-onerror-HTML-comment-expected.txt: Removed. 11 * http/tests/security/xssAuditor/img-onerror-HTML-comment.html: Removed. 12 * http/tests/security/xssAuditor/img-onerror-comment-expected.txt: Removed. 13 * http/tests/security/xssAuditor/img-onerror-comment.html: Removed. 14 * http/tests/security/xssAuditor/object-tag-comment-expected.txt: Removed. 15 * http/tests/security/xssAuditor/object-tag-comment.html: Removed. 16 * http/tests/security/xssAuditor/resources/echo-before-image.pl: Removed. 17 * http/tests/security/xssAuditor/resources/echo-head-base-href-comment.pl: Removed. 18 * http/tests/security/xssAuditor/script-tag-comment-HTML-entity-expected.txt: Removed. 19 * http/tests/security/xssAuditor/script-tag-comment-HTML-entity.html: Removed. 20 * http/tests/security/xssAuditor/script-tag-comment-expected.txt: Removed. 21 * http/tests/security/xssAuditor/script-tag-comment.html: Removed. 22 * http/tests/security/xssAuditor/script-tag-with-source-comment-expected.txt: Removed. 23 * http/tests/security/xssAuditor/script-tag-with-source-comment.html: Removed. 24 1 25 2009-10-15 Brian Weinstein <bweinstein@apple.com> 2 26 -
trunk/WebCore/ChangeLog
r49666 r49668 1 2009-10-15 Daniel Bates <dbates@webkit.org> 2 3 No review, rolling out r49644. 4 http://trac.webkit.org/changeset/49644 5 6 We need to think about this change some more. See bug #30418 7 for more details. 8 9 * page/XSSAuditor.cpp: 10 (WebCore::XSSAuditor::canEvaluate): 11 (WebCore::XSSAuditor::canEvaluateJavaScriptURL): 12 (WebCore::XSSAuditor::canCreateInlineEventListener): 13 (WebCore::XSSAuditor::canLoadExternalScriptFromSrc): 14 (WebCore::XSSAuditor::canLoadObject): 15 (WebCore::XSSAuditor::canSetBaseElementURL): 16 (WebCore::XSSAuditor::findInRequest): 17 * page/XSSAuditor.h: 18 1 19 2009-10-14 Jon Honeycutt <jhoneycutt@apple.com> 2 20 -
trunk/WebCore/page/XSSAuditor.cpp
r49644 r49668 47 47 namespace WebCore { 48 48 49 // Note, we believe it is sufficient to only look at a substring of 750 // characters (or less) of code. Observe that "alert()" is seven characters51 // in length.52 static const unsigned minAttackLength = 7;53 54 49 static bool isNonCanonicalCharacter(UChar c) 55 50 { … … 111 106 return true; 112 107 113 if (findInRequest( String(),code, false, true)) {108 if (findInRequest(code, false, true)) { 114 109 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n")); 115 110 m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); … … 124 119 return true; 125 120 126 if (findInRequest( String(),code, true, false, true)) {121 if (findInRequest(code, true, false, true)) { 127 122 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n")); 128 123 m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); … … 137 132 return true; 138 133 139 if (findInRequest( String(),code, true, true)) {134 if (findInRequest(code, true, true)) { 140 135 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n")); 141 136 m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); … … 160 155 return true; 161 156 162 if (findInRequest(context ,url)) {157 if (findInRequest(context + url)) { 163 158 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n")); 164 159 m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); … … 173 168 return true; 174 169 175 if (findInRequest( String(),url)) {170 if (findInRequest(url)) { 176 171 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request")); 177 172 m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); … … 187 182 188 183 KURL baseElementURL(m_frame->document()->url(), url); 189 if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest( String(),url)) {184 if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest(url)) { 190 185 DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request")); 191 186 m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String()); … … 261 256 } 262 257 263 bool XSSAuditor::findInRequest(const String& context, const String&string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters,258 bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, 264 259 bool decodeURLEscapeSequencesTwice) const 265 260 { … … 267 262 Frame* parentFrame = m_frame->tree()->parent(); 268 263 if (parentFrame && m_frame->document()->url() == blankURL()) 269 result = findInRequest(parentFrame, context,string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);264 result = findInRequest(parentFrame, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice); 270 265 if (!result) 271 result = findInRequest(m_frame, context,string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);266 result = findInRequest(m_frame, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice); 272 267 return result; 273 268 } 274 269 275 bool XSSAuditor::findInRequest(Frame* frame, const String& context, const String&string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters,270 bool XSSAuditor::findInRequest(Frame* frame, const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters, 276 271 bool decodeURLEscapeSequencesTwice) const 277 272 { … … 287 282 288 283 FormData* formDataObj = frame->loader()->documentLoader()->originalRequest().httpBody(); 289 const bool hasFormData = formDataObj && !formDataObj->isEmpty();290 284 String pageURL = frame->document()->url().string(); 291 292 String canonicalizedString; 293 if (!hasFormData && string.length() > 2 * pageURL.length()) { 285 286 if (!formDataObj && string.length() >= 2 * pageURL.length()) { 294 287 // Q: Why do we bother to do this check at all? 295 288 // A: Canonicalizing large inline scripts can be expensive. We want to 296 // reduce the size of the string before we call canonicalize below,297 // since it couldresult in an unneeded allocation and memcpy.289 // bail out before the call to canonicalize below, which could 290 // result in an unneeded allocation and memcpy. 298 291 // 299 292 // Q: Why do we multiply by two here? … … 303 296 // factor of two by sending " characters, which the server 304 297 // transforms to \". 305 canonicalizedString = string.substring(0, 2 * pageURL.length()); 306 } else 307 canonicalizedString = string; 298 return false; 299 } 308 300 309 301 if (frame->document()->url().protocolIs("data")) 310 302 return false; 311 303 312 canonicalizedString = canonicalize(canonicalizedString);304 String canonicalizedString = canonicalize(string); 313 305 if (canonicalizedString.isEmpty()) 314 306 return false; 315 307 316 // We only look at the first minAttackLength characters to avoid looking at 317 // characters the attacker has pulled in from the page using an attack string 318 // like: <img onerror="alert(/XSS/);// 319 canonicalizedString = canonicalizedString.substring(0, minAttackLength); 320 321 if (!context.isEmpty()) 322 canonicalizedString = context + canonicalizedString; 323 324 String decodedPageURL = m_cache.canonicalizeURL(pageURL, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice); 325 326 if (allowRequestIfNoIllegalURICharacters && !hasFormData && decodedPageURL.find(&isIllegalURICharacter, 0) == -1) 327 return false; // Injection is impossible because the request does not contain any illegal URI characters. 328 329 if (decodedPageURL.find(canonicalizedString, 0, false) != -1) 330 return true; // We've found the string in the GET data. 331 332 if (hasFormData) { 333 String decodedFormData = m_cache.canonicalizeURL(formDataObj->flattenToString(), frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice); 334 if (decodedFormData.find(canonicalizedString, 0, false) != -1) 335 return true; // We found the string in the POST data. 308 if (string.length() < pageURL.length()) { 309 // The string can actually fit inside the pageURL. 310 String decodedPageURL = m_cache.canonicalizeURL(pageURL, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice); 311 312 if (allowRequestIfNoIllegalURICharacters && (!formDataObj || formDataObj->isEmpty()) 313 && decodedPageURL.find(&isIllegalURICharacter, 0) == -1) 314 return false; // Injection is impossible because the request does not contain any illegal URI characters. 315 316 if (decodedPageURL.find(canonicalizedString, 0, false) != -1) 317 return true; // We've found the smoking gun. 318 } 319 320 if (formDataObj && !formDataObj->isEmpty()) { 321 String formData = formDataObj->flattenToString(); 322 if (string.length() < formData.length()) { 323 // Notice it is sufficient to compare the length of the string to 324 // the url-encoded POST data because the length of the url-decoded 325 // code is less than or equal to the length of the url-encoded 326 // string. 327 String decodedFormData = m_cache.canonicalizeURL(formData, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice); 328 if (decodedFormData.find(canonicalizedString, 0, false) != -1) 329 return true; // We found the string in the POST data. 330 } 336 331 } 337 332 -
trunk/WebCore/page/XSSAuditor.h
r49644 r49668 123 123 static String decodeHTMLEntities(const String&, bool leaveUndecodableEntitiesUntouched = true); 124 124 125 bool findInRequest(const String& context, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false,125 bool findInRequest(const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, 126 126 bool decodeURLEscapeSequencesTwice = false) const; 127 bool findInRequest(Frame*, const String& context, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false,127 bool findInRequest(Frame*, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false, 128 128 bool decodeURLEscapeSequencesTwice = false) const; 129 129
Note: See TracChangeset
for help on using the changeset viewer.