[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75
dbates at webkit.org
dbates at webkit.org
Thu Oct 29 20:32:33 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit 6d39efc0fee7df8f86f69249bee64af6c7880bbe
Author: dbates at webkit.org <dbates at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Wed Sep 23 18:19:02 2009 +0000
2009-09-23 Daniel Bates <dbates at webkit.org>
Reviewed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=29523
Fixes an issue where a JavaScript URL that was URL-encoded twice can bypass the
XSSAuditor.
The method FrameLoader::executeIfJavaScriptURL decodes the URL escape
sequences in a JavaScript URL before it is eventually passed to the XSSAuditor.
Because the XSSAuditor also decodes the URL escape sequences as part of its
canonicalization, the double decoding of a JavaScript URL would
not match the canonicalization of the input parameters.
Tests: http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html
http/tests/security/xssAuditor/javascript-link-url-encoded.html
* bindings/js/ScriptController.cpp:
(WebCore::ScriptController::evaluate): Moved call to
XSSAuditor::canEvaluateJavaScriptURL into FrameLoader::executeIfJavaScriptURL.
* bindings/v8/ScriptController.cpp:
(WebCore::ScriptController::evaluate): Ditto.
* loader/FrameLoader.cpp:
(WebCore::FrameLoader::executeIfJavaScriptURL): Modified to call
XSSAuditor::canEvaluateJavaScriptURL on the JavaScript URL before it is
decoded.
2009-09-23 Daniel Bates <dbates at webkit.org>
Reviewed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=29523
Tests that JavaScript URLs that were URL-encoded twice do not bypass the XSSAuditor.
* http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt: Added.
* http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html: Added.
* http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt: Added.
* http/tests/security/xssAuditor/javascript-link-url-encoded.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48680 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index ad92597..25879c0 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2009-09-23 Daniel Bates <dbates at webkit.org>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=29523
+
+ Tests that JavaScript URLs that were URL-encoded twice do not bypass the XSSAuditor.
+
+ * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt: Added.
+ * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html: Added.
+ * http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt: Added.
+ * http/tests/security/xssAuditor/javascript-link-url-encoded.html: Added.
+
2009-09-23 Dave Hyatt <hyatt at apple.com>
Reviewed by John Sullivan.
diff --git a/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt b/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html b/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html
new file mode 100644
index 0000000..3fcc079
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.pl?q=%3Ciframe%20src=javascript%3A%271%2525251%27%3Balert%28document.domain%29%3E">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt b/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt
similarity index 100%
copy from LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-expected.txt
copy to LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt
diff --git a/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded.html b/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded.html
new file mode 100644
index 0000000..8fb6457
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.waitUntilDone();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src='http://localhost:8000/security/xssAuditor/resources/echo-intertag-click-and-notify.pl?elmid=anchorLink&q=%3Ca+id%3DanchorLink+href%3Djavascript%3A%271%2525251%27%3Balert%28/%26XSS/%29%3Etest%3C/a%3E'>
+</iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 2983ef5..965c5df 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,31 @@
+2009-09-23 Daniel Bates <dbates at webkit.org>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=29523
+
+ Fixes an issue where a JavaScript URL that was URL-encoded twice can bypass the
+ XSSAuditor.
+
+ The method FrameLoader::executeIfJavaScriptURL decodes the URL escape
+ sequences in a JavaScript URL before it is eventually passed to the XSSAuditor.
+ Because the XSSAuditor also decodes the URL escape sequences as part of its
+ canonicalization, the double decoding of a JavaScript URL would
+ not match the canonicalization of the input parameters.
+
+ Tests: http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html
+ http/tests/security/xssAuditor/javascript-link-url-encoded.html
+
+ * bindings/js/ScriptController.cpp:
+ (WebCore::ScriptController::evaluate): Moved call to
+ XSSAuditor::canEvaluateJavaScriptURL into FrameLoader::executeIfJavaScriptURL.
+ * bindings/v8/ScriptController.cpp:
+ (WebCore::ScriptController::evaluate): Ditto.
+ * loader/FrameLoader.cpp:
+ (WebCore::FrameLoader::executeIfJavaScriptURL): Modified to call
+ XSSAuditor::canEvaluateJavaScriptURL on the JavaScript URL before it is
+ decoded.
+
2009-09-22 Dave Hyatt <hyatt at apple.com>
Reviewed by John Sullivan.
diff --git a/WebCore/bindings/js/ScriptController.cpp b/WebCore/bindings/js/ScriptController.cpp
index 4b33069..dfa1602 100644
--- a/WebCore/bindings/js/ScriptController.cpp
+++ b/WebCore/bindings/js/ScriptController.cpp
@@ -85,12 +85,7 @@ ScriptValue ScriptController::evaluate(const ScriptSourceCode& sourceCode)
const SourceCode& jsSourceCode = sourceCode.jsSourceCode();
String sourceURL = jsSourceCode.provider()->url();
- if (sourceURL.isNull() && !m_XSSAuditor->canEvaluateJavaScriptURL(sourceCode.source())) {
- // This JavaScript URL is not safe to be evaluated.
- return JSValue();
- }
-
- if (!sourceURL.isNull() && !m_XSSAuditor->canEvaluate(sourceCode.source())) {
+ if (!m_XSSAuditor->canEvaluate(sourceCode.source())) {
// This script is not safe to be evaluated.
return JSValue();
}
diff --git a/WebCore/bindings/v8/ScriptController.cpp b/WebCore/bindings/v8/ScriptController.cpp
index c345e00..2ff6115 100644
--- a/WebCore/bindings/v8/ScriptController.cpp
+++ b/WebCore/bindings/v8/ScriptController.cpp
@@ -200,12 +200,7 @@ ScriptValue ScriptController::evaluate(const ScriptSourceCode& sourceCode)
{
String sourceURL = sourceCode.url();
- if (sourceURL.isNull() && !m_XSSAuditor->canEvaluateJavaScriptURL(sourceCode.source())) {
- // This JavaScript URL is not safe to be evaluated.
- return ScriptValue();
- }
-
- if (!sourceURL.isNull() && !m_XSSAuditor->canEvaluate(sourceCode.source())) {
+ if (!m_XSSAuditor->canEvaluate(sourceCode.source())) {
// This script is not safe to be evaluated.
return ScriptValue();
}
diff --git a/WebCore/loader/FrameLoader.cpp b/WebCore/loader/FrameLoader.cpp
index 5a51660..52b6d77 100644
--- a/WebCore/loader/FrameLoader.cpp
+++ b/WebCore/loader/FrameLoader.cpp
@@ -746,8 +746,10 @@ bool FrameLoader::executeIfJavaScriptURL(const KURL& url, bool userGesture, bool
const int javascriptSchemeLength = sizeof("javascript:") - 1;
- String script = decodeURLEscapeSequences(url.string().substring(javascriptSchemeLength));
- ScriptValue result = executeScript(script, userGesture);
+ String script = url.string().substring(javascriptSchemeLength);
+ ScriptValue result;
+ if (m_frame->script()->xssAuditor()->canEvaluateJavaScriptURL(script))
+ result = executeScript(decodeURLEscapeSequences(script), userGesture);
String scriptResult;
if (!result.getString(scriptResult))
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list