Changeset 49668 in webkit


Ignore:
Timestamp:
Oct 15, 2009 6:27:33 PM (15 years ago)
Author:
dbates@webkit.org
Message:

2009-10-15 Daniel Bates <dbates@webkit.org>

No review, rolling out r49644.
http://trac.webkit.org/changeset/49644


We need to think about this change some more. See bug #30418
for more details.

  • page/XSSAuditor.cpp: (WebCore::XSSAuditor::canEvaluate): (WebCore::XSSAuditor::canEvaluateJavaScriptURL): (WebCore::XSSAuditor::canCreateInlineEventListener): (WebCore::XSSAuditor::canLoadExternalScriptFromSrc): (WebCore::XSSAuditor::canLoadObject): (WebCore::XSSAuditor::canSetBaseElementURL): (WebCore::XSSAuditor::findInRequest):
  • page/XSSAuditor.h:

2009-10-15 Daniel Bates <dbates@webkit.org>

No review, rolling out r49644.
http://trac.webkit.org/changeset/49644

  • http/tests/security/xssAuditor/base-href-comment-expected.txt: Removed.
  • http/tests/security/xssAuditor/base-href-comment.html: Removed.
  • http/tests/security/xssAuditor/iframe-javascript-url-comment-expected.txt: Removed.
  • http/tests/security/xssAuditor/iframe-javascript-url-comment.html: Removed.
  • http/tests/security/xssAuditor/img-onerror-HTML-comment-expected.txt: Removed.
  • http/tests/security/xssAuditor/img-onerror-HTML-comment.html: Removed.
  • http/tests/security/xssAuditor/img-onerror-comment-expected.txt: Removed.
  • http/tests/security/xssAuditor/img-onerror-comment.html: Removed.
  • http/tests/security/xssAuditor/object-tag-comment-expected.txt: Removed.
  • http/tests/security/xssAuditor/object-tag-comment.html: Removed.
  • http/tests/security/xssAuditor/resources/echo-before-image.pl: Removed.
  • http/tests/security/xssAuditor/resources/echo-head-base-href-comment.pl: Removed.
  • http/tests/security/xssAuditor/script-tag-comment-HTML-entity-expected.txt: Removed.
  • http/tests/security/xssAuditor/script-tag-comment-HTML-entity.html: Removed.
  • http/tests/security/xssAuditor/script-tag-comment-expected.txt: Removed.
  • http/tests/security/xssAuditor/script-tag-comment.html: Removed.
  • http/tests/security/xssAuditor/script-tag-with-source-comment-expected.txt: Removed.
  • http/tests/security/xssAuditor/script-tag-with-source-comment.html: Removed.
Location:
trunk
Files:
18 deleted
4 edited

Legend:

Unmodified
Added
Removed

  • trunk/LayoutTests/ChangeLog

    r49667 r49668  
     12009-10-15  Daniel Bates  <dbates@webkit.org>
     2
     3        No review, rolling out r49644.
     4        http://trac.webkit.org/changeset/49644
     5
     6        * http/tests/security/xssAuditor/base-href-comment-expected.txt: Removed.
     7        * http/tests/security/xssAuditor/base-href-comment.html: Removed.
     8        * http/tests/security/xssAuditor/iframe-javascript-url-comment-expected.txt: Removed.
     9        * http/tests/security/xssAuditor/iframe-javascript-url-comment.html: Removed.
     10        * http/tests/security/xssAuditor/img-onerror-HTML-comment-expected.txt: Removed.
     11        * http/tests/security/xssAuditor/img-onerror-HTML-comment.html: Removed.
     12        * http/tests/security/xssAuditor/img-onerror-comment-expected.txt: Removed.
     13        * http/tests/security/xssAuditor/img-onerror-comment.html: Removed.
     14        * http/tests/security/xssAuditor/object-tag-comment-expected.txt: Removed.
     15        * http/tests/security/xssAuditor/object-tag-comment.html: Removed.
     16        * http/tests/security/xssAuditor/resources/echo-before-image.pl: Removed.
     17        * http/tests/security/xssAuditor/resources/echo-head-base-href-comment.pl: Removed.
     18        * http/tests/security/xssAuditor/script-tag-comment-HTML-entity-expected.txt: Removed.
     19        * http/tests/security/xssAuditor/script-tag-comment-HTML-entity.html: Removed.
     20        * http/tests/security/xssAuditor/script-tag-comment-expected.txt: Removed.
     21        * http/tests/security/xssAuditor/script-tag-comment.html: Removed.
     22        * http/tests/security/xssAuditor/script-tag-with-source-comment-expected.txt: Removed.
     23        * http/tests/security/xssAuditor/script-tag-with-source-comment.html: Removed.
     24
    1252009-10-15  Brian Weinstein  <bweinstein@apple.com>
    226

  • trunk/WebCore/ChangeLog

    r49666 r49668  
     12009-10-15  Daniel Bates  <dbates@webkit.org>
     2
     3        No review, rolling out r49644.
     4        http://trac.webkit.org/changeset/49644
     5       
     6        We need to think about this change some more. See bug #30418
     7        for more details.
     8
     9        * page/XSSAuditor.cpp:
     10        (WebCore::XSSAuditor::canEvaluate):
     11        (WebCore::XSSAuditor::canEvaluateJavaScriptURL):
     12        (WebCore::XSSAuditor::canCreateInlineEventListener):
     13        (WebCore::XSSAuditor::canLoadExternalScriptFromSrc):
     14        (WebCore::XSSAuditor::canLoadObject):
     15        (WebCore::XSSAuditor::canSetBaseElementURL):
     16        (WebCore::XSSAuditor::findInRequest):
     17        * page/XSSAuditor.h:
     18
    1192009-10-14  Jon Honeycutt  <jhoneycutt@apple.com>
    220

  • trunk/WebCore/page/XSSAuditor.cpp

    r49644 r49668  
    4747namespace WebCore {
    4848
    49 // Note, we believe it is sufficient to only look at a substring of 7
    50 // characters (or less) of code.  Observe that "alert()" is seven characters
    51 // in length.
    52 static const unsigned minAttackLength = 7;
    53 
    5449static bool isNonCanonicalCharacter(UChar c)
    5550{
     
    111106        return true;
    112107
    113     if (findInRequest(String(), code, false, true)) {
     108    if (findInRequest(code, false, true)) {
    114109        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
    115110        m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
     
    124119        return true;
    125120
    126     if (findInRequest(String(), code, true, false, true)) {
     121    if (findInRequest(code, true, false, true)) {
    127122        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
    128123        m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
     
    137132        return true;
    138133
    139     if (findInRequest(String(), code, true, true)) {
     134    if (findInRequest(code, true, true)) {
    140135        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
    141136        m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
     
    160155        return true;
    161156
    162     if (findInRequest(context, url)) {
     157    if (findInRequest(context + url)) {
    163158        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
    164159        m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
     
    173168        return true;
    174169
    175     if (findInRequest(String(), url)) {
     170    if (findInRequest(url)) {
    176171        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request"));
    177172        m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
     
    187182   
    188183    KURL baseElementURL(m_frame->document()->url(), url);
    189     if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest(String(), url)) {
     184    if (m_frame->document()->url().host() != baseElementURL.host() && findInRequest(url)) {
    190185        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request"));
    191186        m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
     
    261256}
    262257
    263 bool XSSAuditor::findInRequest(const String& context, const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters,
     258bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters,
    264259                               bool decodeURLEscapeSequencesTwice) const
    265260{
     
    267262    Frame* parentFrame = m_frame->tree()->parent();
    268263    if (parentFrame && m_frame->document()->url() == blankURL())
    269         result = findInRequest(parentFrame, context, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);
     264        result = findInRequest(parentFrame, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);
    270265    if (!result)
    271         result = findInRequest(m_frame, context, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);
     266        result = findInRequest(m_frame, string, decodeEntities, allowRequestIfNoIllegalURICharacters, decodeURLEscapeSequencesTwice);
    272267    return result;
    273268}
    274269
    275 bool XSSAuditor::findInRequest(Frame* frame, const String& context, const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters,
     270bool XSSAuditor::findInRequest(Frame* frame, const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters,
    276271                               bool decodeURLEscapeSequencesTwice) const
    277272{
     
    287282
    288283    FormData* formDataObj = frame->loader()->documentLoader()->originalRequest().httpBody();
    289     const bool hasFormData = formDataObj && !formDataObj->isEmpty();
    290284    String pageURL = frame->document()->url().string();
    291    
    292     String canonicalizedString;
    293     if (!hasFormData && string.length() > 2 * pageURL.length()) {
     285
     286    if (!formDataObj && string.length() >= 2 * pageURL.length()) {
    294287        // Q: Why do we bother to do this check at all?
    295288        // A: Canonicalizing large inline scripts can be expensive.  We want to
    296         //    reduce the size of the string before we call canonicalize below,
    297         //    since it could result in an unneeded allocation and memcpy.
     289        //    bail out before the call to canonicalize below, which could
     290        //    result in an unneeded allocation and memcpy.
    298291        //
    299292        // Q: Why do we multiply by two here?
     
    303296        //    factor of two by sending " characters, which the server
    304297        //    transforms to \".
    305         canonicalizedString = string.substring(0, 2 * pageURL.length());
    306     } else
    307         canonicalizedString = string;
     298        return false;
     299    }
    308300
    309301    if (frame->document()->url().protocolIs("data"))
    310302        return false;
    311303
    312     canonicalizedString = canonicalize(canonicalizedString);
     304    String canonicalizedString = canonicalize(string);
    313305    if (canonicalizedString.isEmpty())
    314306        return false;
    315307
    316     // We only look at the first minAttackLength characters to avoid looking at
    317     // characters the attacker has pulled in from the page using an attack string
    318     // like: <img onerror="alert(/XSS/);//
    319     canonicalizedString = canonicalizedString.substring(0, minAttackLength);
    320 
    321     if (!context.isEmpty())
    322         canonicalizedString = context + canonicalizedString;
    323 
    324     String decodedPageURL = m_cache.canonicalizeURL(pageURL, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice);
    325 
    326     if (allowRequestIfNoIllegalURICharacters && !hasFormData && decodedPageURL.find(&isIllegalURICharacter, 0) == -1)
    327         return false; // Injection is impossible because the request does not contain any illegal URI characters.
    328 
    329     if (decodedPageURL.find(canonicalizedString, 0, false) != -1)
    330         return true;  // We've found the string in the GET data.
    331 
    332     if (hasFormData) {
    333         String decodedFormData = m_cache.canonicalizeURL(formDataObj->flattenToString(), frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice);
    334         if (decodedFormData.find(canonicalizedString, 0, false) != -1)
    335             return true;  // We found the string in the POST data.
     308    if (string.length() < pageURL.length()) {
     309        // The string can actually fit inside the pageURL.
     310        String decodedPageURL = m_cache.canonicalizeURL(pageURL, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice);
     311
     312        if (allowRequestIfNoIllegalURICharacters && (!formDataObj || formDataObj->isEmpty())
     313            && decodedPageURL.find(&isIllegalURICharacter, 0) == -1)
     314            return false; // Injection is impossible because the request does not contain any illegal URI characters.
     315
     316        if (decodedPageURL.find(canonicalizedString, 0, false) != -1)
     317            return true;  // We've found the smoking gun.
     318    }
     319
     320    if (formDataObj && !formDataObj->isEmpty()) {
     321        String formData = formDataObj->flattenToString();
     322        if (string.length() < formData.length()) {
     323            // Notice it is sufficient to compare the length of the string to
     324            // the url-encoded POST data because the length of the url-decoded
     325            // code is less than or equal to the length of the url-encoded
     326            // string.
     327            String decodedFormData = m_cache.canonicalizeURL(formData, frame->document()->decoder()->encoding(), decodeEntities, decodeURLEscapeSequencesTwice);
     328            if (decodedFormData.find(canonicalizedString, 0, false) != -1)
     329                return true;  // We found the string in the POST data.
     330        }
    336331    }
    337332

  • trunk/WebCore/page/XSSAuditor.h

    r49644 r49668  
    123123        static String decodeHTMLEntities(const String&, bool leaveUndecodableEntitiesUntouched = true);
    124124
    125         bool findInRequest(const String& context, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false,
     125        bool findInRequest(const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false,
    126126                           bool decodeURLEscapeSequencesTwice = false) const;
    127         bool findInRequest(Frame*, const String& context, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false,
     127        bool findInRequest(Frame*, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false,
    128128                           bool decodeURLEscapeSequencesTwice = false) const;
    129129
Note: See TracChangeset for help on using the changeset viewer.