Changeset 94828 in webkit
- Timestamp:
- Sep 8, 2011 7:40:09 PM (13 years ago)
- Location:
- trunk
- Files:
-
- 18 added
- 10 edited
Legend:
- Unmodified
- Added
- Removed
-
trunk/LayoutTests/ChangeLog
r94827 r94828 1 2011-09-08 Daniel Bates <dbates@webkit.org> 2 3 XSS filter bypass via non-standard URL encoding 4 https://bugs.webkit.org/show_bug.cgi?id=66588 5 6 Reviewed by Adam Barth. 7 8 Add tests for decoding non-standard 16-bit Unicode escape sequences. 9 10 Also add a test to ensure that we don't cause an assertion failure when 11 calling window.open(""). 12 13 * http/tests/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl: Added. 14 (isUTF16Surrogate): 15 (decodeRunOf16BitUnicodeEscapeSequences): 16 (decode16BitUnicodeEscapeSequences): 17 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt: Added. 18 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt: Added. 19 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair.html: Added. 20 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode.html: Added. 21 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt: Added. 22 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode2.html: Added. 23 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt: Added. 24 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode3.html: Added. 25 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt: Added. 26 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4.html: Added. 27 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt: Added. 28 * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5.html: Added. 29 * http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt: Updated expected 30 result since we now pass this test. We should rename this file to something more descriptive, 31 see <https://bugs.webkit.org/show_bug.cgi?id=67818>. 32 * http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt: Added. 33 * http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode.html: Added. 34 * http/tests/security/xssAuditor/window-open-without-url-should-not-assert-expected.txt: Added. 35 * http/tests/security/xssAuditor/window-open-without-url-should-not-assert.html: Added. 36 1 37 2011-09-08 Fumitoshi Ukai <ukai@chromium.org> 2 38 -
trunk/LayoutTests/http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt
r78776 r94828 1 ALERT: /XSS/ 1 CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request. 2 2 3 -
trunk/Source/WebCore/ChangeLog
r94825 r94828 1 2011-09-08 Daniel Bates <dbates@webkit.org> 2 3 XSS filter bypass via non-standard URL encoding 4 https://bugs.webkit.org/show_bug.cgi?id=66588 5 6 Reviewed by Adam Barth. 7 8 Tests: http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair.html 9 http/tests/security/xssAuditor/script-tag-with-16bit-unicode.html 10 http/tests/security/xssAuditor/script-tag-with-16bit-unicode2.html 11 http/tests/security/xssAuditor/script-tag-with-16bit-unicode3.html 12 http/tests/security/xssAuditor/script-tag-with-16bit-unicode4.html 13 http/tests/security/xssAuditor/script-tag-with-16bit-unicode5.html 14 http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode.html 15 http/tests/security/xssAuditor/window-open-without-url-should-not-assert.html 16 17 Implement support for decoding non-standard 16-bit Unicode escape sequences of 18 the form %u26C4 as described in <http://www.w3.org/International/iri-edit/draft-duerst-iri.html#anchor29>. 19 20 See also <http://en.wikipedia.org/wiki/Percent-encoding#Non-standard_implementations>. 21 22 * GNUmakefile.list.am: Added DecodeEscapeSequences.h. 23 * WebCore.gypi: Ditto. 24 * WebCore.pro: Ditto. 25 * WebCore.vcproj/WebCore.vcproj: Ditto. 26 * WebCore.xcodeproj/project.pbxproj: Ditto. 27 * html/parser/XSSAuditor.cpp: 28 (WebCore::decode16BitUnicodeEscapeSequences): Added. 29 (WebCore::decodeStandardURLEscapeSequences): Added. 30 (WebCore::fullyDecodeString): Modified to call decode16BitUnicodeEscapeSequences(). 31 (WebCore::XSSAuditor::init): Modified to return early when the URL of the document 32 is the empty string. This can happen when opening a new browser window or calling 33 window.open(""). 34 * platform/KURL.cpp: 35 (WebCore::decodeURLEscapeSequences): Abstracted code into template-function decodeEscapeSequences(). 36 This function just calls decodeEscapeSequences<URLEscapeSequence>(). 37 * platform/text/DecodeEscapeSequences.h: Added. 38 (WebCore::Unicode16BitEscapeSequence::findInString): 39 (WebCore::Unicode16BitEscapeSequence::matchStringPrefix): 40 (WebCore::Unicode16BitEscapeSequence::decodeRun): 41 (WebCore::URLEscapeSequence::findInString): 42 (WebCore::URLEscapeSequence::matchStringPrefix): 43 (WebCore::URLEscapeSequence::decodeRun): 44 (WebCore::decodeEscapeSequences): 45 1 46 2011-09-08 Adam Barth <abarth@webkit.org> 2 47 -
trunk/Source/WebCore/GNUmakefile.list.am
r94694 r94828 2822 2822 Source/WebCore/platform/text/BidiResolver.h \ 2823 2823 Source/WebCore/platform/text/BidiRunList.h \ 2824 Source/WebCore/platform/text/DecodeEscapeSequences.h \ 2824 2825 Source/WebCore/platform/text/Hyphenation.cpp \ 2825 2826 Source/WebCore/platform/text/Hyphenation.h \ -
trunk/Source/WebCore/WebCore.gypi
r94783 r94828 847 847 'platform/text/BidiContext.h', 848 848 'platform/text/BidiResolver.h', 849 'platform/text/DecodeEscapeSequences.h', 849 850 'platform/text/LineBreakIteratorPoolICU.h', 850 851 'platform/text/LineEnding.h', -
trunk/Source/WebCore/WebCore.pro
r94694 r94828 2113 2113 platform/text/Base64.h \ 2114 2114 platform/text/BidiContext.h \ 2115 platform/text/DecodeEscapeSequences.h \ 2115 2116 platform/text/Hyphenation.h \ 2116 2117 platform/text/QuotedPrintable.h \ -
trunk/Source/WebCore/WebCore.vcproj/WebCore.vcproj
r94656 r94828 31550 31550 </File> 31551 31551 <File 31552 RelativePath="..\platform\text\DecodeEscapeSequences.h" 31553 > 31554 </File> 31555 <File 31552 31556 RelativePath="..\platform\text\Hyphenation.h" 31553 31557 > -
trunk/Source/WebCore/WebCore.xcodeproj/project.pbxproj
r94699 r94828 5450 5450 CEA3949C11D45CDA003094CF /* StaticHashSetNodeList.cpp in Sources */ = {isa = PBXBuildFile; fileRef = CEA3949A11D45CDA003094CF /* StaticHashSetNodeList.cpp */; }; 5451 5451 CEA3949D11D45CDA003094CF /* StaticHashSetNodeList.h in Headers */ = {isa = PBXBuildFile; fileRef = CEA3949B11D45CDA003094CF /* StaticHashSetNodeList.h */; }; 5452 CECCFC3B141973D5002A0AC1 /* DecodeEscapeSequences.h in Headers */ = {isa = PBXBuildFile; fileRef = CECCFC3A141973D5002A0AC1 /* DecodeEscapeSequences.h */; }; 5452 5453 CEF418CE1179678C009D112C /* ViewportArguments.cpp in Sources */ = {isa = PBXBuildFile; fileRef = CEF418CC1179678C009D112C /* ViewportArguments.cpp */; }; 5453 5454 CEF418CF1179678C009D112C /* ViewportArguments.h in Headers */ = {isa = PBXBuildFile; fileRef = CEF418CD1179678C009D112C /* ViewportArguments.h */; settings = {ATTRIBUTES = (Private, ); }; }; … … 12209 12210 CEA3949A11D45CDA003094CF /* StaticHashSetNodeList.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = StaticHashSetNodeList.cpp; sourceTree = "<group>"; }; 12210 12211 CEA3949B11D45CDA003094CF /* StaticHashSetNodeList.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = StaticHashSetNodeList.h; sourceTree = "<group>"; }; 12212 CECCFC3A141973D5002A0AC1 /* DecodeEscapeSequences.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = DecodeEscapeSequences.h; sourceTree = "<group>"; }; 12211 12213 CEF418CC1179678C009D112C /* ViewportArguments.cpp */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.cpp.cpp; path = ViewportArguments.cpp; sourceTree = "<group>"; }; 12212 12214 CEF418CD1179678C009D112C /* ViewportArguments.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = ViewportArguments.h; sourceTree = "<group>"; }; … … 18385 18387 B2C3D9F40D006C1D00EF6F26 /* BidiResolver.h */, 18386 18388 A8C402921348B2220063F1E5 /* BidiRunList.h */, 18389 CECCFC3A141973D5002A0AC1 /* DecodeEscapeSequences.h */, 18387 18390 375CD231119D43C800A2A859 /* Hyphenation.h */, 18388 18391 A5ABB78613B904BC00F197E3 /* LineBreakIteratorPoolICU.h */, … … 23477 23480 1A927FD31416A15B003A83C8 /* npruntime.h in Headers */, 23478 23481 1A927FD41416A15B003A83C8 /* nptypes.h in Headers */, 23482 CECCFC3B141973D5002A0AC1 /* DecodeEscapeSequences.h in Headers */, 23479 23483 ); 23480 23484 runOnlyForDeploymentPostprocessing = 0; -
trunk/Source/WebCore/html/parser/XSSAuditor.cpp
r94225 r94828 1 1 /* 2 2 * Copyright (C) 2011 Adam Barth. All Rights Reserved. 3 * Copyright (C) 2011 Daniel Bates (dbates@intudata.com). 3 4 * 4 5 * Redistribution and use in source and binary forms, with or without … … 29 30 #include "Console.h" 30 31 #include "DOMWindow.h" 32 #include "DecodeEscapeSequences.h" 31 33 #include "Document.h" 32 34 #include "DocumentLoader.h" … … 116 118 } 117 119 120 static inline String decode16BitUnicodeEscapeSequences(const String& string) 121 { 122 // Note, the encoding is ignored since each %u-escape sequence represents a UTF-16 code unit. 123 return decodeEscapeSequences<Unicode16BitEscapeSequence>(string, UTF8Encoding()); 124 } 125 126 static inline String decodeStandardURLEscapeSequences(const String& string, const TextEncoding& encoding) 127 { 128 // We use decodeEscapeSequences() instead of decodeURLEscapeSequences() (declared in KURL.h) to 129 // avoid platform-specific URL decoding differences (e.g. KURLGoogle). 130 return decodeEscapeSequences<URLEscapeSequence>(string, encoding); 131 } 132 118 133 static String fullyDecodeString(const String& string, const TextResourceDecoder* decoder) 119 134 { 135 const TextEncoding& encoding = decoder ? decoder->encoding() : UTF8Encoding(); 120 136 size_t oldWorkingStringLength; 121 137 String workingString = string; 122 138 do { 123 139 oldWorkingStringLength = workingString.length(); 124 workingString = decode URLEscapeSequences(workingString);140 workingString = decode16BitUnicodeEscapeSequences(decodeStandardURLEscapeSequences(workingString, encoding)); 125 141 } while (workingString.length() < oldWorkingStringLength); 126 if (decoder) { 127 CString workingStringUTF8 = workingString.utf8(); 128 String decodedString = decoder->encoding().decode(workingStringUTF8.data(), workingStringUTF8.length()); 129 if (!decodedString.isEmpty()) 130 workingString = decodedString; 131 } 142 ASSERT(!workingString.isEmpty()); 132 143 workingString.replace('+', ' '); 133 144 workingString = canonicalize(workingString); … … 169 180 170 181 const KURL& url = m_parser->document()->url(); 182 183 if (url.isEmpty()) { 184 // The URL can be empty when opening a new browser window or calling window.open(""). 185 m_isEnabled = false; 186 return; 187 } 171 188 172 189 if (url.protocolIsData()) { -
trunk/Source/WebCore/platform/KURL.cpp
r94640 r94828 27 27 #include "KURL.h" 28 28 29 #include "DecodeEscapeSequences.h" 29 30 #include "TextEncoding.h" 30 31 #include <stdio.h> … … 252 253 } 253 254 254 static inline int hexDigitValue(UChar c)255 {256 ASSERT(isASCIIHexDigit(c));257 if (c < 'A')258 return c - '0';259 return (c - 'A' + 10) & 0xF; // handle both upper and lower case without a branch260 }261 262 255 // Copies the source to the destination, assuming all the source characters are 263 256 // ASCII. The destination buffer must be large enough. Null characters are allowed … … 934 927 } 935 928 936 String decodeURLEscapeSequences(const String& str) 937 { 938 return decodeURLEscapeSequences(str, UTF8Encoding()); 939 } 940 941 String decodeURLEscapeSequences(const String& str, const TextEncoding& encoding) 942 { 943 StringBuilder result; 944 945 CharBuffer buffer; 946 947 unsigned length = str.length(); 948 unsigned decodedPosition = 0; 949 unsigned searchPosition = 0; 950 size_t encodedRunPosition; 951 while ((encodedRunPosition = str.find('%', searchPosition)) != notFound) { 952 // Find the sequence of %-escape codes. 953 unsigned encodedRunEnd = encodedRunPosition; 954 while (length - encodedRunEnd >= 3 955 && str[encodedRunEnd] == '%' 956 && isASCIIHexDigit(str[encodedRunEnd + 1]) 957 && isASCIIHexDigit(str[encodedRunEnd + 2])) 958 encodedRunEnd += 3; 959 searchPosition = encodedRunEnd; 960 if (encodedRunEnd == encodedRunPosition) { 961 ++searchPosition; 962 continue; 963 } 964 965 // Decode the %-escapes into bytes. 966 unsigned runLength = (encodedRunEnd - encodedRunPosition) / 3; 967 buffer.resize(runLength); 968 char* p = buffer.data(); 969 const UChar* q = str.characters() + encodedRunPosition; 970 for (unsigned i = 0; i < runLength; ++i) { 971 *p++ = (hexDigitValue(q[1]) << 4) | hexDigitValue(q[2]); 972 q += 3; 973 } 974 975 // Decode the bytes into Unicode characters. 976 String decoded = (encoding.isValid() ? encoding : UTF8Encoding()).decode(buffer.data(), p - buffer.data()); 977 if (decoded.isEmpty()) 978 continue; 979 980 // Build up the string with what we just skipped and what we just decoded. 981 result.append(str.characters() + decodedPosition, encodedRunPosition - decodedPosition); 982 result.append(decoded); 983 decodedPosition = encodedRunEnd; 984 } 985 986 result.append(str.characters() + decodedPosition, length - decodedPosition); 987 988 return result.toString(); 929 String decodeURLEscapeSequences(const String& string) 930 { 931 return decodeEscapeSequences<URLEscapeSequence>(string, UTF8Encoding()); 932 } 933 934 String decodeURLEscapeSequences(const String& string, const TextEncoding& encoding) 935 { 936 return decodeEscapeSequences<URLEscapeSequence>(string, encoding); 989 937 } 990 938
Note: See TracChangeset
for help on using the changeset viewer.