Changeset 86087 in webkit


Ignore:
Timestamp:
May 9, 2011 2:20:21 PM (13 years ago)
Author:
abarth@webkit.org
Message:

2011-05-09 Adam Barth <abarth@webkit.org>

Reviewed by Daniel Bates.

XSSAuditor should be more selective about the <meta http-equivs> that it blocks
https://bugs.webkit.org/show_bug.cgi?id=60489

We don't need to filter most http-equiv attributes. This patch
introduces a blacklist for two that we probably do want to filter.
It's possible a whitelist would be more appropriate, but I'm inclined
to start with a blacklist and see how it works.

This patch will hopefully fix a false positive that is causing errors
with copy-and-pasted text in Gmail in some configurations (due to using
the <meta> tag to request UTF-8 encoding both in the pasted text and in
the page itself).

  • html/parser/XSSFilter.cpp: (WebCore::isNonCanonicalCharacter): (WebCore::canonicalize): (WebCore::isRequiredForInjection): (WebCore::hasName): (WebCore::findAttributeWithName): (WebCore::isNameOfInlineEventHandler): (WebCore::isDangerousHTTPEquiv):
    • This function is new in the patch and includes a blacklist of dangerous http-equivs. Many of the other functions listed here are just being moved from an anonymous namespace to use static for internal linkage.

(WebCore::containsJavaScriptURL):
(WebCore::decodeURL):
(WebCore::XSSFilter::eraseAttributeIfInjected):

Location:
trunk
Files:
2 added
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r86085 r86087  
     12011-05-09  Adam Barth  <abarth@webkit.org>
     2
     3        Reviewed by Daniel Bates.
     4
     5        XSSAuditor should be more selective about the <meta http-equivs> that it blocks
     6        https://bugs.webkit.org/show_bug.cgi?id=60489
     7
     8        We don't need to filter most http-equiv attributes.  This patch
     9        introduces a blacklist for two that we probably do want to filter.
     10        It's possible a whitelist would be more appropriate, but I'm inclined
     11        to start with a blacklist and see how it works.
     12
     13        This patch will hopefully fix a false positive that is causing errors
     14        with copy-and-pasted text in Gmail in some configurations (due to using
     15        the <meta> tag to request UTF-8 encoding both in the pasted text and in
     16        the page itself).
     17
     18        * html/parser/XSSFilter.cpp:
     19        (WebCore::isNonCanonicalCharacter):
     20        (WebCore::canonicalize):
     21        (WebCore::isRequiredForInjection):
     22        (WebCore::hasName):
     23        (WebCore::findAttributeWithName):
     24        (WebCore::isNameOfInlineEventHandler):
     25        (WebCore::isDangerousHTTPEquiv):
     26            - This function is new in the patch and includes a blacklist of
     27              dangerous http-equivs.  Many of the other functions listed here
     28              are just being moved from an anonymous namespace to use static
     29              for internal linkage.
     30        (WebCore::containsJavaScriptURL):
     31        (WebCore::decodeURL):
     32        (WebCore::XSSFilter::eraseAttributeIfInjected):
     33
    1342011-05-05  Matthew Delaney  <mdelaney@apple.com>
    235
  • trunk/Source/WebCore/html/parser/XSSFilter.cpp

    r85484 r86087  
    4545using namespace HTMLNames;
    4646
    47 namespace {
    48 
    49 bool isNonCanonicalCharacter(UChar c)
     47static bool isNonCanonicalCharacter(UChar c)
    5048{
    5149    // We remove all non-ASCII characters, including non-printable ASCII characters.
     
    5957}
    6058
    61 String canonicalize(const String& string)
     59static String canonicalize(const String& string)
    6260{
    6361    return string.removeCharacters(&isNonCanonicalCharacter);
    6462}
    6563
    66 bool isRequiredForInjection(UChar c)
     64static bool isRequiredForInjection(UChar c)
    6765{
    6866    return (c == '\'' || c == '"' || c == '<' || c == '>');
    6967}
    7068
    71 bool hasName(const HTMLToken& token, const QualifiedName& name)
     69static bool hasName(const HTMLToken& token, const QualifiedName& name)
    7270{
    7371    return equalIgnoringNullity(token.name(), static_cast<const String&>(name.localName()));
    7472}
    7573
    76 bool findAttributeWithName(const HTMLToken& token, const QualifiedName& name, size_t& indexOfMatchingAttribute)
     74static bool findAttributeWithName(const HTMLToken& token, const QualifiedName& name, size_t& indexOfMatchingAttribute)
    7775{
    7876    for (size_t i = 0; i < token.attributes().size(); ++i) {
     
    8583}
    8684
    87 bool isNameOfInlineEventHandler(const Vector<UChar, 32>& name)
     85static bool isNameOfInlineEventHandler(const Vector<UChar, 32>& name)
    8886{
    8987    const size_t lengthOfShortestInlineEventHandlerName = 5; // To wit: oncut.
     
    9391}
    9492
    95 bool containsJavaScriptURL(const Vector<UChar, 32>& value)
     93static bool isDangerousHTTPEquiv(const String& value)
     94{
     95    String equiv = value.stripWhiteSpace();
     96    return equalIgnoringCase(equiv, "refresh") || equalIgnoringCase(equiv, "set-cookie");
     97}
     98
     99static bool containsJavaScriptURL(const Vector<UChar, 32>& value)
    96100{
    97101    static const char javaScriptScheme[] = "javascript:";
     
    110114}
    111115
    112 String decodeURL(const String& string, const TextEncoding& encoding)
     116static String decodeURL(const String& string, const TextEncoding& encoding)
    113117{
    114118    String workingString = string;
     
    121125        return canonicalize(workingString);
    122126    return canonicalize(decodedString);
    123 }
    124 
    125127}
    126128
     
    422424            if (attributeName == srcAttr && isSameOriginResource(String(attribute.m_value.data(), attribute.m_value.size())))
    423425                return false;
     426            if (attributeName == http_equivAttr && !isDangerousHTTPEquiv(String(attribute.m_value.data(), attribute.m_value.size())))
     427                return false;
    424428            token.eraseValueOfAttribute(indexOfAttribute);
    425429            if (!replacementValue.isEmpty())
Note: See TracChangeset for help on using the changeset viewer.