Changeset 77059 in webkit


Ignore:
Timestamp:
Jan 29, 2011 1:20:44 AM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-01-29 Adam Barth <abarth@webkit.org>

Reviewed by Daniel Bates.

XSSFilter should pass xssAuditor/script-tag-addslashes*
https://bugs.webkit.org/show_bug.cgi?id=53365

We need to canonicalize strings to avoid being tricked by addslashes.

  • html/parser/XSSFilter.cpp: (WebCore::HTMLNames::isNonCanonicalCharacter):
    • This function is copied from the XSSAuditor (with some tweaks). We'll eventually remove the XSSAuditor once we've got XSSFilter working properly.

(WebCore::HTMLNames::canonicalize):
(WebCore::HTMLNames::decodeURL):
(WebCore::XSSFilter::isContainedInRequest):

Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • trunk/Source/WebCore/ChangeLog

    r77058 r77059  
     12011-01-29  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Daniel Bates.
     4
     5        XSSFilter should pass xssAuditor/script-tag-addslashes*
     6        https://bugs.webkit.org/show_bug.cgi?id=53365
     7
     8        We need to canonicalize strings to avoid being tricked by addslashes.
     9
     10        * html/parser/XSSFilter.cpp:
     11        (WebCore::HTMLNames::isNonCanonicalCharacter):
     12            - This function is copied from the XSSAuditor (with some tweaks).
     13              We'll eventually remove the XSSAuditor once we've got XSSFilter
     14              working properly.
     15        (WebCore::HTMLNames::canonicalize):
     16        (WebCore::HTMLNames::decodeURL):
     17        (WebCore::XSSFilter::isContainedInRequest):
     18
    1192011-01-29  Adam Barth  <abarth@webkit.org>
    220

  • trunk/Source/WebCore/html/parser/XSSFilter.cpp

    r77058 r77059  
    4646namespace {
    4747
     48bool isNonCanonicalCharacter(UChar c)
     49{
     50    // We remove all non-ASCII characters, including non-printable ASCII characters.
     51    //
     52    // Note, we don't remove backslashes like PHP stripslashes(), which among other things converts "\\0" to the \0 character.
     53    // Instead, we remove backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0"). However, this has the
     54    // adverse effect that we remove any legitimate zeros from a string.
     55    //
     56    // For instance: new String("http://localhost:8000") => new String("http://localhost:8").
     57    return (c == '\\' || c == '0' || c == '\0' || c >= 127);
     58}
     59
     60String canonicalize(const String& string)
     61{
     62    return string.removeCharacters(&isNonCanonicalCharacter);
     63}
     64
    4865bool hasName(const HTMLToken& token, const QualifiedName& name)
    4966{
     
    7996    // FIXME: Is this check necessary?
    8097    if (decodedString.isEmpty())
    81         return workingString;
    82     return decodedString;
     98        return canonicalize(workingString);
     99    return canonicalize(decodedString);
    83100}
    84101
     
    325342bool XSSFilter::isContainedInRequest(const String& snippet)
    326343{
    327     return m_decodedURL.find(snippet, 0, false) != notFound || m_decodedHTTPBody.find(snippet, 0, false) != notFound;
     344    String canonicalizedSnippet = canonicalize(snippet);
     345    return m_decodedURL.find(canonicalizedSnippet, 0, false) != notFound
     346        || m_decodedHTTPBody.find(canonicalizedSnippet, 0, false) != notFound;
    328347}
    329348
Note: See TracChangeset for help on using the changeset viewer.