Changeset 95065 in webkit

Timestamp:

Sep 13, 2011 6:19:04 PM (13 years ago)

Author:

commit-queue@webkit.org

Message:

Fix XSS auditor bypass when inline handlers contain comments.
​https://bugs.webkit.org/show_bug.cgi?id=27895

Patch by Tom Sepez <​tsepez@chromium.org> on 2011-09-13
Reviewed by Adam Barth.

Source/WebCore:

Tests: http/tests/security/xssAuditor/property-escape-comment.html

http/tests/security/xssAuditor/property-escape-entity.html
http/tests/security/xssAuditor/property-escape-quote.html

• html/parser/XSSAuditor.cpp:

(WebCore::XSSAuditor::snippetForAttribute):

LayoutTests:

• http/tests/security/xssAuditor/malformed-HTML-expected.txt:
• http/tests/security/xssAuditor/open-attribute-body-expected.txt:
• http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
• http/tests/security/xssAuditor/property-escape-comment-expected.txt: Added.
• http/tests/security/xssAuditor/property-escape-comment.html: Added.
• http/tests/security/xssAuditor/property-escape-entity-expected.txt: Added.
• http/tests/security/xssAuditor/property-escape-entity.html: Added.
• http/tests/security/xssAuditor/property-escape-quote-expected.txt: Added.
• http/tests/security/xssAuditor/property-escape-quote.html: Added.
• http/tests/security/xssAuditor/resources/echo-property.pl:

Location:

trunk

Files:

• LayoutTests/ChangeLog (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt (modified) (1 diff)
• LayoutTests/http/tests/security/xssAuditor/property-escape-comment-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/property-escape-comment.html (added)
• LayoutTests/http/tests/security/xssAuditor/property-escape-entity-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/property-escape-entity.html (added)
• LayoutTests/http/tests/security/xssAuditor/property-escape-quote-expected.txt (added)
• LayoutTests/http/tests/security/xssAuditor/property-escape-quote.html (added)
• LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl (modified) (1 diff)
• Source/WebCore/ChangeLog (modified) (1 diff)
• Source/WebCore/html/parser/XSSAuditor.cpp (modified) (2 diffs)

trunk/LayoutTests/ChangeLog

@@ +1 @@
+2011-09-13  Tom Sepez  <tsepez@chromium.org>
+
+        Fix XSS auditor bypass when inline handlers contain comments.
+        https://bugs.webkit.org/show_bug.cgi?id=27895
+
+        Reviewed by Adam Barth.
+
+        * http/tests/security/xssAuditor/malformed-HTML-expected.txt:
+        * http/tests/security/xssAuditor/open-attribute-body-expected.txt:
+        * http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt:
+        * http/tests/security/xssAuditor/property-escape-comment-expected.txt: Added.
+        * http/tests/security/xssAuditor/property-escape-comment.html: Added.
+        * http/tests/security/xssAuditor/property-escape-entity-expected.txt: Added.
+        * http/tests/security/xssAuditor/property-escape-entity.html: Added.
+        * http/tests/security/xssAuditor/property-escape-quote-expected.txt: Added.
+        * http/tests/security/xssAuditor/property-escape-quote.html: Added.
+        * http/tests/security/xssAuditor/resources/echo-property.pl:
+
 2011-09-13  Fumitoshi Ukai  <ukai@chromium.org>
 

trunk/LayoutTests/http/tests/security/xssAuditor/malformed-HTML-expected.txt

@@ +1 @@
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+
 
 

trunk/LayoutTests/http/tests/security/xssAuditor/open-attribute-body-expected.txt

@@ -1 @@
-ALERT: /XSS/
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
 
+

trunk/LayoutTests/http/tests/security/xssAuditor/open-event-handler-iframe-expected.txt

@@ -1 @@
-ALERT: /XSS/
+CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
 
+

trunk/LayoutTests/http/tests/security/xssAuditor/resources/echo-property.pl

@@ -11 +11 @@
 print "<body foo=\"";
 print $cgi->param('q');
+if ($cgi->param('clutter')) {
+    print $cgi->param('clutter');
+}
 print "\">\n";
 print "</body>\n";

trunk/Source/WebCore/ChangeLog

@@ +1 @@
+2011-09-13  Tom Sepez  <tsepez@chromium.org>
+
+        Fix XSS auditor bypass when inline handlers contain comments.
+        https://bugs.webkit.org/show_bug.cgi?id=27895
+
+        Reviewed by Adam Barth.
+
+        Tests: http/tests/security/xssAuditor/property-escape-comment.html
+               http/tests/security/xssAuditor/property-escape-entity.html
+               http/tests/security/xssAuditor/property-escape-quote.html
+
+        * html/parser/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::snippetForAttribute):
+
 2011-09-13  Kentaro Hara  <haraken@google.com>
 

trunk/Source/WebCore/html/parser/XSSAuditor.cpp

@@ -71 +71 @@
 }
 
+static bool isTerminatingCharacter(UChar c) 
+{
+    return (c == '&' || c == '/' || c == '"' || c == '\'');
+}
+
+static bool isHTMLQuote(UChar c)
+{
+    return (c == '"' || c == '\'');
+}
+
 static bool hasName(const HTMLToken& token, const QualifiedName& name)
 {
@@ -469 +479 @@
 String XSSAuditor::snippetForAttribute(const HTMLToken& token, const HTMLToken::Attribute& attribute)
 {
+    // The range doesn't inlcude the character which terminates the value. So,
+    // for an input of |name="value"|, the snippet is |name="value|. For an
+    // unquoted input of |name=value |, the snippet is |name=value|.
     // FIXME: We should grab one character before the name also.
     int start = attribute.m_nameRange.m_start - token.startIndex();
-    // FIXME: We probably want to grab only the first few characters of the attribute value.
     int end = attribute.m_valueRange.m_end - token.startIndex();
-    return snippetForRange(token, start, end);
+    String snippet = snippetForRange(token, start, end);
+
+    // Beware of trailing characters which came from the page itself, not the 
+    // injected vector. Excluding the terminating character covers common cases
+    // where the page immediately ends the attribute, but doesn't cover more
+    // complex cases where there is other page data following the injection. 
+    // Generally, these won't parse as javascript, so the injected vector
+    // typically excludes them from consideration via a single-line comment or
+    // by enclosing them in a string literal terminated later by the page's own
+    // closing punctuation. Since the snippet has not been parsed, the vector
+    // may also try to introduce these via entities. As a result, we'd like to
+    // stop before the first "//", the first entity, or the first quote not
+    // immediately following the first equals sign (taking whitespace into
+    // consideration). To keep things simpler, we don't try to distinguish
+    // between entity-introducing amperands vs. other uses, nor do we bother to
+    // check for a second slash for a comment, stoping instead on any ampersand
+    // or slash.
+    size_t position;
+    if ((position = snippet.find("=")) != notFound
+        && (position = snippet.find(isNotHTMLSpace, position + 1)) != notFound
+        && (position = snippet.find(isTerminatingCharacter, isHTMLQuote(snippet[position]) ? position + 1 : position)) != notFound) {
+        snippet.truncate(position);
+    }
+
+    return snippet;
 }