[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.15.1-1414-gc69ee75
dbates at webkit.org
dbates at webkit.org
Thu Oct 29 20:37:16 UTC 2009
The following commit has been merged in the webkit-1.1 branch:
commit c1377e2ad7fec44d3cd3bbbc4c6ce0d5b53ad0b7
Author: dbates at webkit.org <dbates at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Oct 1 05:56:03 2009 +0000
2009-09-30 Daniel Bates <dbates at webkit.org>
Reviewed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=29944
Reduces false positives in the XSSAuditor by explicitly allowing requests
that do not contain illegal URI characters.
As a side effect of this change, the tests property-inject.html,
property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html
fail because these attacks do not contain any illegal URI characters and
thus are now allowed by the XSSAuditor, where previously they weren't. A future
change may reinstate this functionality.
Tests: http/tests/security/xssAuditor/script-tag-safe2.html
http/tests/security/xssAuditor/script-tag-safe3.html
* page/XSSAuditor.cpp:
(WebCore::isIllegalURICharacter): Added method.
(WebCore::XSSAuditor::canEvaluate):
(WebCore::XSSAuditor::canCreateInlineEventListener):
(WebCore::XSSAuditor::findInRequest): Added parameter
allowRequestIfNoIllegalURICharacters.
* page/XSSAuditor.h:
2009-09-30 Daniel Bates <dbates at webkit.org>
Reviewed by Adam Barth.
https://bugs.webkit.org/show_bug.cgi?id=29944
Tests that the XSSAuditor allows requests that do not contain illegal URI
characters.
Added a notice regarding the failure of tests property-inject.html,
property-escape-noquotes.html and property-escape-noquotes-tab-slash-chars.html,
and rebased the expected results of these tests.
* http/tests/security/xssAuditor/property-escape-noquotes-expected.txt:
* http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt:
* http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html:
* http/tests/security/xssAuditor/property-escape-noquotes.html:
* http/tests/security/xssAuditor/property-inject-expected.txt:
* http/tests/security/xssAuditor/property-inject.html:
* http/tests/security/xssAuditor/resources/safe-script-noquotes.js: Added.
* http/tests/security/xssAuditor/resources/script-tag-safe2.html: Added.
* http/tests/security/xssAuditor/resources/script-tag-safe3.html: Added.
* http/tests/security/xssAuditor/script-tag-safe2-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-safe2.html: Added.
* http/tests/security/xssAuditor/script-tag-safe3-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-safe3.html: Added.
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@48961 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 46c9f3b..1747e01 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,30 @@
+2009-09-30 Daniel Bates <dbates at webkit.org>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=29944
+
+ Tests that the XSSAuditor allows requests that do not contain illegal URI
+ characters.
+
+ Added a notice regarding the failure of tests property-inject.html,
+ property-escape-noquotes.html and property-escape-noquotes-tab-slash-chars.html,
+ and rebased the expected results of these tests.
+
+ * http/tests/security/xssAuditor/property-escape-noquotes-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt:
+ * http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html:
+ * http/tests/security/xssAuditor/property-escape-noquotes.html:
+ * http/tests/security/xssAuditor/property-inject-expected.txt:
+ * http/tests/security/xssAuditor/property-inject.html:
+ * http/tests/security/xssAuditor/resources/safe-script-noquotes.js: Added.
+ * http/tests/security/xssAuditor/resources/script-tag-safe2.html: Added.
+ * http/tests/security/xssAuditor/resources/script-tag-safe3.html: Added.
+ * http/tests/security/xssAuditor/script-tag-safe2-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-safe2.html: Added.
+ * http/tests/security/xssAuditor/script-tag-safe3-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-safe3.html: Added.
+
2009-09-30 Kent Tamura <tkent at chromium.org>
Reviewed by Darin Adler.
diff --git a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt
index 513e2f8..9087bc3 100644
--- a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt
+++ b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-expected.txt
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+ALERT: /XSS/
+This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this functionality.
diff --git a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt
index 513e2f8..9087bc3 100644
--- a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt
+++ b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars-expected.txt
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+ALERT: /XSS/
+This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this functionality.
diff --git a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html
index 8c36899..5c80c53 100644
--- a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html
+++ b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes-tab-slash-chars.html
@@ -9,6 +9,9 @@ if (window.layoutTestController) {
</script>
</head>
<body>
+<p>This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus,
+the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this
+functionality.</p>
<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property-noquotes.pl?q=dummy%09/onload=alert(/XSS/)&dummy=dummy">
</iframe>
</body>
diff --git a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html
index ec2a702..ece3db0 100644
--- a/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html
+++ b/LayoutTests/http/tests/security/xssAuditor/property-escape-noquotes.html
@@ -9,6 +9,9 @@ if (window.layoutTestController) {
</script>
</head>
<body>
+<p>This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus,
+the XSSAuditor does not detect breaking out of an unquoted property. A future update may reinstate this
+functionality.</p>
<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property-noquotes.pl?q=1%20onload=alert(/XSS/)">
</iframe>
</body>
diff --git a/LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt b/LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt
index 513e2f8..acb7341 100644
--- a/LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt
+++ b/LayoutTests/http/tests/security/xssAuditor/property-inject-expected.txt
@@ -1,3 +1,4 @@
-CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
+ALERT: /XSS/
+This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus, the XSSAuditor does not detect the injection of an inline event handler within a tag. A future update may reinstate this functionality.
diff --git a/LayoutTests/http/tests/security/xssAuditor/property-inject.html b/LayoutTests/http/tests/security/xssAuditor/property-inject.html
index 2955d9b..7f2fe76 100644
--- a/LayoutTests/http/tests/security/xssAuditor/property-inject.html
+++ b/LayoutTests/http/tests/security/xssAuditor/property-inject.html
@@ -9,6 +9,9 @@ if (window.layoutTestController) {
</script>
</head>
<body>
+<p>This test fails because the XSSAuditor allows requests that do not contain illegal URI characters. Thus,
+the XSSAuditor does not detect the injection of an inline event handler within a tag. A future update may
+reinstate this functionality.</p>
<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-inner-tag.pl?q=onload=alert(/XSS/)">
</iframe>
</body>
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/safe-script-noquotes.js b/LayoutTests/http/tests/security/xssAuditor/resources/safe-script-noquotes.js
new file mode 100644
index 0000000..7e685e4
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/safe-script-noquotes.js
@@ -0,0 +1 @@
+alert(/This is a safe script./);
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe2.html b/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe2.html
new file mode 100644
index 0000000..20a11e1
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe2.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>alert(/This is a safe script./)</script>
+</head>
+<body>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe3.html b/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe3.html
new file mode 100644
index 0000000..386720a
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/script-tag-safe3.html
@@ -0,0 +1,8 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script src='http://localhost:8000/security/xssAuditor/resources/safe-script-noquotes.js'></script>
+</head>
+<body>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2-expected.txt
new file mode 100644
index 0000000..e29af02
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2-expected.txt
@@ -0,0 +1,2 @@
+ALERT: /This is a safe script./
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2.html
new file mode 100644
index 0000000..d8dbe14
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe2.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src='http://localhost:8000/security/xssAuditor/resources/script-tag-safe2.html?q=alert(/This+is+a+safe+script./)'>
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3-expected.txt b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3-expected.txt
new file mode 100644
index 0000000..e29af02
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3-expected.txt
@@ -0,0 +1,2 @@
+ALERT: /This is a safe script./
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3.html b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3.html
new file mode 100644
index 0000000..5bbcb58
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/script-tag-safe3.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src='http://localhost:8000/security/xssAuditor/resources/script-tag-safe3.html?q=alert(/This+is+a+safe+script./)%3B'>
+</iframe>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 78861e4..815e598 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,29 @@
+2009-09-30 Daniel Bates <dbates at webkit.org>
+
+ Reviewed by Adam Barth.
+
+ https://bugs.webkit.org/show_bug.cgi?id=29944
+
+ Reduces false positives in the XSSAuditor by explicitly allowing requests
+ that do not contain illegal URI characters.
+
+ As a side effect of this change, the tests property-inject.html,
+ property-escape-noquotes.html, and property-escape-noquotes-tab-slash-chars.html
+ fail because these attacks do not contain any illegal URI characters and
+ thus are now allowed by the XSSAuditor, where previously they weren't. A future
+ change may reinstate this functionality.
+
+ Tests: http/tests/security/xssAuditor/script-tag-safe2.html
+ http/tests/security/xssAuditor/script-tag-safe3.html
+
+ * page/XSSAuditor.cpp:
+ (WebCore::isIllegalURICharacter): Added method.
+ (WebCore::XSSAuditor::canEvaluate):
+ (WebCore::XSSAuditor::canCreateInlineEventListener):
+ (WebCore::XSSAuditor::findInRequest): Added parameter
+ allowRequestIfNoIllegalURICharacters.
+ * page/XSSAuditor.h:
+
2009-09-30 Oliver Hunt <oliver at apple.com>
Reviewed by Maciej Stachowiak.
diff --git a/WebCore/page/XSSAuditor.cpp b/WebCore/page/XSSAuditor.cpp
index 4fcc53c..92ed896 100644
--- a/WebCore/page/XSSAuditor.cpp
+++ b/WebCore/page/XSSAuditor.cpp
@@ -58,6 +58,18 @@ static bool isNonCanonicalCharacter(UChar c)
return (c == '\\' || c == '0' || c < ' ' || c >= 127);
}
+static bool isIllegalURICharacter(UChar c)
+{
+ // The characters described in section 2.4.3 of RFC 2396 <http://www.faqs.org/rfcs/rfc2396.html> in addition to the
+ // single quote character "'" are considered illegal URI characters. That is, the following characters cannot appear
+ // in a valid URI: ', ", <, >
+ //
+ // If the request does not contain these characters then we can assume that no inline scripts have been injected
+ // into response page, because it is impossible to write an inline script of the form <script>...</script>
+ // without "<", ">".
+ return (c == '\'' || c == '"' || c == '<' || c == '>');
+}
+
String XSSAuditor::CachingURLCanonicalizer::canonicalizeURL(const String& url, const TextEncoding& encoding, bool decodeEntities)
{
if (decodeEntities == m_decodeEntities && encoding == m_encoding && url == m_inputURL)
@@ -90,7 +102,7 @@ bool XSSAuditor::canEvaluate(const String& code) const
if (!isEnabled())
return true;
- if (findInRequest(code, false)) {
+ if (findInRequest(code, false, true)) {
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
return false;
@@ -116,7 +128,7 @@ bool XSSAuditor::canCreateInlineEventListener(const String&, const String& code)
if (!isEnabled())
return true;
- if (findInRequest(code)) {
+ if (findInRequest(code, true, true)) {
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to execute a JavaScript script. Source code of script found within request.\n"));
m_frame->domWindow()->console()->addMessage(JSMessageSource, LogMessageType, ErrorMessageLevel, consoleMessage, 1, String());
return false;
@@ -223,18 +235,18 @@ String XSSAuditor::decodeHTMLEntities(const String& string, bool leaveUndecodabl
return String::adopt(result);
}
-bool XSSAuditor::findInRequest(const String& string, bool decodeEntities) const
+bool XSSAuditor::findInRequest(const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters) const
{
bool result = false;
Frame* parentFrame = m_frame->tree()->parent();
if (parentFrame && m_frame->document()->url() == blankURL())
- result = findInRequest(parentFrame, string, decodeEntities);
+ result = findInRequest(parentFrame, string, decodeEntities, allowRequestIfNoIllegalURICharacters);
if (!result)
- result = findInRequest(m_frame, string, decodeEntities);
+ result = findInRequest(m_frame, string, decodeEntities, allowRequestIfNoIllegalURICharacters);
return result;
}
-bool XSSAuditor::findInRequest(Frame* frame, const String& string, bool decodeEntities) const
+bool XSSAuditor::findInRequest(Frame* frame, const String& string, bool decodeEntities, bool allowRequestIfNoIllegalURICharacters) const
{
ASSERT(frame->document());
@@ -274,8 +286,13 @@ bool XSSAuditor::findInRequest(Frame* frame, const String& string, bool decodeEn
if (string.length() < pageURL.length()) {
// The string can actually fit inside the pageURL.
String decodedPageURL = m_cache.canonicalizeURL(pageURL, frame->document()->decoder()->encoding(), decodeEntities);
+
+ if (allowRequestIfNoIllegalURICharacters && (!formDataObj || formDataObj->isEmpty())
+ && decodedPageURL.find(&isIllegalURICharacter, 0) == -1)
+ return false; // Injection is impossible because the request does not contain any illegal URI characters.
+
if (decodedPageURL.find(canonicalizedString, 0, false) != -1)
- return true; // We've found the smoking gun.
+ return true; // We've found the smoking gun.
}
if (formDataObj && !formDataObj->isEmpty()) {
diff --git a/WebCore/page/XSSAuditor.h b/WebCore/page/XSSAuditor.h
index 58b2cc2..d3d1ec9 100644
--- a/WebCore/page/XSSAuditor.h
+++ b/WebCore/page/XSSAuditor.h
@@ -119,8 +119,8 @@ namespace WebCore {
static String decodeURL(const String& url, const TextEncoding& encoding, bool decodeEntities);
static String decodeHTMLEntities(const String&, bool leaveUndecodableEntitiesUntouched = true);
- bool findInRequest(const String&, bool decodeEntities = true) const;
- bool findInRequest(Frame*, const String&, bool decodeEntities = true) const;
+ bool findInRequest(const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false) const;
+ bool findInRequest(Frame*, const String&, bool decodeEntities = true, bool allowRequestIfNoIllegalURICharacters = false) const;
// The frame to audit.
Frame* m_frame;
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list