[SCM] WebKit Debian packaging branch, webkit-1.1, updated. upstream/1.1.19-706-ge5415e9
abarth at webkit.org
abarth at webkit.org
Thu Feb 4 21:31:18 UTC 2010
The following commit has been merged in the webkit-1.1 branch:
commit 49e2f36900b7a3517005fdd8118c43c1baea4e5b
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Thu Jan 28 20:34:36 2010 +0000
2010-01-28 Adam Barth <abarth at webkit.org>
Reviewed by David Levin.
Remove XSSAuditor false positive for Google Translate
https://bugs.webkit.org/show_bug.cgi?id=34242
Add a test that we allow attackers to inject directly into the href
property of the base tag.
* http/tests/security/xssAuditor/base-href-direct-expected.txt: Added.
* http/tests/security/xssAuditor/base-href-direct.html: Added.
* http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl: Added.
2010-01-28 Adam Barth <abarth at webkit.org>
Reviewed by David Levin.
Remove XSSAuditor false positive for Google Translate
https://bugs.webkit.org/show_bug.cgi?id=34242
Google translate takes a base URL as a parameter, causing a false
positive in the XSS filter. This patch removes the false positive by
allowing direct injections into the href property of the base tag.
Test: http/tests/security/xssAuditor/base-href-direct.html
* page/XSSAuditor.cpp:
(WebCore::XSSAuditor::canSetBaseElementURL):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@54010 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 47f4dae..8a2f4cc 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,17 @@
+2010-01-28 Adam Barth <abarth at webkit.org>
+
+ Reviewed by David Levin.
+
+ Remove XSSAuditor false positive for Google Translate
+ https://bugs.webkit.org/show_bug.cgi?id=34242
+
+ Add a test that we allow attackers to inject directly into the href
+ property of the base tag.
+
+ * http/tests/security/xssAuditor/base-href-direct-expected.txt: Added.
+ * http/tests/security/xssAuditor/base-href-direct.html: Added.
+ * http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl: Added.
+
2010-01-28 Simon Fraser <simon.fraser at apple.com>
Reviewed by Dan Bernstein.
diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt b/LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt
new file mode 100644
index 0000000..8ada282
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt
@@ -0,0 +1,4 @@
+ALERT: /XSS/
+We allow direct injections into base tags to reduce false positives.
+
+
diff --git a/LayoutTests/http/tests/security/xssAuditor/base-href-direct.html b/LayoutTests/http/tests/security/xssAuditor/base-href-direct.html
new file mode 100644
index 0000000..eed7462
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/base-href-direct.html
@@ -0,0 +1,16 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>We allow direct injections into base tags to reduce false positives.</p>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-head-base-href-direct.pl?q=http://127.0.0.1:8000/security/xssAuditor/resources/base-href/">
+</iframe>
+</body>
+</html>
diff --git a/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl b/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl
new file mode 100755
index 0000000..85a4f9c
--- /dev/null
+++ b/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl
@@ -0,0 +1,17 @@
+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+
+my $cgi = new CGI;
+
+print "Content-Type: text/html; charset=UTF-8\n\n";
+
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<head>\n";
+print "<base href=\"".$cgi->param('q')."\">\n";
+print "</head>\n";
+print "<body>\n";
+print "<script src='safe-script.js'></script>\n";
+print "</body>\n";
+print "</html>\n";
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index 549e675..96b7470 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,19 @@
+2010-01-28 Adam Barth <abarth at webkit.org>
+
+ Reviewed by David Levin.
+
+ Remove XSSAuditor false positive for Google Translate
+ https://bugs.webkit.org/show_bug.cgi?id=34242
+
+ Google translate takes a base URL as a parameter, causing a false
+ positive in the XSS filter. This patch removes the false positive by
+ allowing direct injections into the href property of the base tag.
+
+ Test: http/tests/security/xssAuditor/base-href-direct.html
+
+ * page/XSSAuditor.cpp:
+ (WebCore::XSSAuditor::canSetBaseElementURL):
+
2010-01-28 Nikolas Zimmermann <nzimmermann at rim.com>
Reviewed by Dirk Schulze.
diff --git a/WebCore/page/XSSAuditor.cpp b/WebCore/page/XSSAuditor.cpp
index 4753cbc..0129b52 100644
--- a/WebCore/page/XSSAuditor.cpp
+++ b/WebCore/page/XSSAuditor.cpp
@@ -202,6 +202,7 @@ bool XSSAuditor::canSetBaseElementURL(const String& url) const
FindTask task;
task.string = url;
+ task.allowRequestIfNoIllegalURICharacters = true;
if (findInRequest(task)) {
DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to load from document base URL. URL found within request.\n"));
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list