[SCM] WebKit Debian packaging branch, webkit-1.2, updated. upstream/1.2.2-27-g91dab87
Gustavo Noronha Silva
gns at gnome.org
Thu Jul 15 21:13:19 UTC 2010
The following commit has been merged in the webkit-1.2 branch:
commit 7c8291eaa15e029beacbddbd86ddc483d5b05241
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Mar 27 02:15:16 2010 +0000
2010-03-26 Justin Schuh <jschuh at chromium.org>
Reviewed by Adam Barth.
Security: iFrame.src accepts JavaScript URL via nodeValue or textContent
https://bugs.webkit.org/show_bug.cgi?id=36502
Overrode inherited nodeValue and textContent in Attr.idl so they proxy
to value, which performs a security check.
* http/tests/security/xss-DENIED-iframe-src-alias-expected.txt: Added.
* http/tests/security/xss-DENIED-iframe-src-alias.html: Added.
2010-03-26 Justin Schuh <jschuh at chromium.org>
Reviewed by Adam Barth.
Security: iFrame.src accepts JavaScript URL via nodeValue or textContent
https://bugs.webkit.org/show_bug.cgi?id=36502
Overrode inherited nodeValue and textContent in Attr.idl so they proxy
to value, which performs a security check.
Test: http/tests/security/xss-DENIED-iframe-src-alias.html
* bindings/js/JSAttrCustom.cpp:
(WebCore::JSAttr::nodeValue):
(WebCore::JSAttr::setNodeValue):
(WebCore::JSAttr::textContent):
(WebCore::JSAttr::setTextContent):
* bindings/v8/custom/V8AttrCustom.cpp:
(WebCore::V8Attr::nodeValueAccessorSetter):
(WebCore::V8Attr::nodeValueAccessorGetter):
(WebCore::V8Attr::textContentAccessorSetter):
(WebCore::V8Attr::textContentAccessorGetter):
* dom/Attr.idl:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@56651 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index 3ef8c9c..f90bdd6 100644
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,16 @@
+2010-03-26 Justin Schuh <jschuh at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Security: iFrame.src accepts JavaScript URL via nodeValue or textContent
+ https://bugs.webkit.org/show_bug.cgi?id=36502
+
+ Overrode inherited nodeValue and textContent in Attr.idl so they proxy
+ to value, which performs a security check.
+
+ * http/tests/security/xss-DENIED-iframe-src-alias-expected.txt: Added.
+ * http/tests/security/xss-DENIED-iframe-src-alias.html: Added.
+
2010-04-23 Dan Bernstein <mitz at apple.com>
Reviewed by Simon Fraser.
diff --git a/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias-expected.txt b/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias-expected.txt
new file mode 100644
index 0000000..f2e8a1a
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias-expected.txt
@@ -0,0 +1,21 @@
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+CONSOLE MESSAGE: line 1: Unsafe JavaScript attempt to access frame with URL http://localhost:8080/security/resources/innocent-victim.html from frame with URL http://127.0.0.1:8000/security/xss-DENIED-iframe-src-alias.html. Domains, protocols and ports must match.
+
+This script tests if iframe.src can be set to a JavaScript URL via an alias (such as Attr.textContent or Attr.nodeValue). The test is successful if no alerts appear and the page finishes loading.
+
+
+
+
+
+
+
+
diff --git a/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias.html b/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias.html
new file mode 100644
index 0000000..3a07b93
--- /dev/null
+++ b/LayoutTests/http/tests/security/xss-DENIED-iframe-src-alias.html
@@ -0,0 +1,47 @@
+<html>
+<head>
+<script>
+window.onload = function()
+{
+ if (window.layoutTestController) {
+ layoutTestController.dumpAsText();
+ }
+
+ var alert = 'javascript:alert("FAIL")';
+ // Test different ways of aliasing iframe.src
+ var aliasTests = [
+ function(iFrame) { iFrame.attributes['src'].textContent = alert;},
+ function(iFrame) { iFrame.attributes['src'].nodeValue = alert;},
+ function(iFrame) { iFrame.attributes[0].textContent = alert;},
+ function(iFrame) { iFrame.attributes[0].nodeValue = alert;},
+ function(iFrame) { iFrame.attributes.item(0).textContent = alert;},
+ function(iFrame) { iFrame.attributes.item(0).nodeValue = alert;}
+ ];
+
+ function makeOnloadHandler (idx, tgtFrame) {
+ return function() {
+ tgtFrame.onload = null;
+ try {
+ aliasTests[idx](tgtFrame);
+ } catch (e) {}
+ }
+ }
+
+ for (var i = 0; i < aliasTests.length; i++) {
+ aFrame = document.createElement('iframe');
+ aFrame.src = 'http://localhost:8080/security/resources/innocent-victim.html';
+ aFrame.onload = makeOnloadHandler(i, aFrame);
+ aFrame.width = 700;
+ document.body.appendChild(aFrame);
+ document.body.appendChild(document.createElement('br'));
+ }
+}
+
+</script>
+</head>
+<body>
+<p>This script tests if iframe.src can be set to a JavaScript URL via an alias
+ (such as Attr.textContent or Attr.nodeValue). The test is successful if no
+ alerts appear and the page finishes loading.</p>
+</body>
+</html>
diff --git a/WebCore/ChangeLog b/WebCore/ChangeLog
index dec4bd1..08793aa 100644
--- a/WebCore/ChangeLog
+++ b/WebCore/ChangeLog
@@ -1,3 +1,27 @@
+2010-03-26 Justin Schuh <jschuh at chromium.org>
+
+ Reviewed by Adam Barth.
+
+ Security: iFrame.src accepts JavaScript URL via nodeValue or textContent
+ https://bugs.webkit.org/show_bug.cgi?id=36502
+
+ Overrode inherited nodeValue and textContent in Attr.idl so they proxy
+ to value, which performs a security check.
+
+ Test: http/tests/security/xss-DENIED-iframe-src-alias.html
+
+ * bindings/js/JSAttrCustom.cpp:
+ (WebCore::JSAttr::nodeValue):
+ (WebCore::JSAttr::setNodeValue):
+ (WebCore::JSAttr::textContent):
+ (WebCore::JSAttr::setTextContent):
+ * bindings/v8/custom/V8AttrCustom.cpp:
+ (WebCore::V8Attr::nodeValueAccessorSetter):
+ (WebCore::V8Attr::nodeValueAccessorGetter):
+ (WebCore::V8Attr::textContentAccessorSetter):
+ (WebCore::V8Attr::textContentAccessorGetter):
+ * dom/Attr.idl:
+
2010-04-23 Dan Bernstein <mitz at apple.com>
Reviewed by Simon Fraser.
diff --git a/WebCore/bindings/js/JSAttrCustom.cpp b/WebCore/bindings/js/JSAttrCustom.cpp
index 3c01535..4e5b2de 100644
--- a/WebCore/bindings/js/JSAttrCustom.cpp
+++ b/WebCore/bindings/js/JSAttrCustom.cpp
@@ -59,6 +59,27 @@ void JSAttr::setValue(ExecState* exec, JSValue value)
setDOMException(exec, ec);
}
+JSC::JSValue JSAttr::nodeValue(JSC::ExecState* exec) const
+{
+ Attr* imp = this->impl();
+ return jsStringOrNull(exec, imp->value());
+}
+
+void JSAttr::setNodeValue(JSC::ExecState* exec, JSC::JSValue value)
+{
+ setValue(exec, value);
+}
+
+JSC::JSValue JSAttr::textContent(JSC::ExecState* exec) const
+{
+ return nodeValue(exec);
+}
+
+void JSAttr::setTextContent(JSC::ExecState* exec, JSC::JSValue value)
+{
+ setValue(exec, value);
+}
+
void JSAttr::markChildren(MarkStack& markStack)
{
Base::markChildren(markStack);
diff --git a/WebCore/bindings/v8/custom/V8AttrCustom.cpp b/WebCore/bindings/v8/custom/V8AttrCustom.cpp
index 0da4ae4..76e9df8 100644
--- a/WebCore/bindings/v8/custom/V8AttrCustom.cpp
+++ b/WebCore/bindings/v8/custom/V8AttrCustom.cpp
@@ -55,4 +55,24 @@ void V8Attr::valueAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value
throwError(ec);
}
+void V8Attr::nodeValueAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
+{
+ valueAccessorSetter(name, value, info);
+}
+v8::Handle<v8::Value> V8Attr::nodeValueAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
+{
+ Attr* imp = V8Attr::toNative(info.Holder());
+ return v8StringOrNull(imp->value());
+}
+
+void V8Attr::textContentAccessorSetter(v8::Local<v8::String> name, v8::Local<v8::Value> value, const v8::AccessorInfo& info)
+{
+ valueAccessorSetter(name, value, info);
+}
+
+v8::Handle<v8::Value> V8Attr::textContentAccessorGetter(v8::Local<v8::String> name, const v8::AccessorInfo& info)
+{
+ return nodeValueAccessorGetter(name, info);
+}
+
} // namespace WebCore
diff --git a/WebCore/dom/Attr.idl b/WebCore/dom/Attr.idl
index af84478..a29c613 100644
--- a/WebCore/dom/Attr.idl
+++ b/WebCore/dom/Attr.idl
@@ -28,10 +28,17 @@ module core {
// DOM Level 1
readonly attribute [ConvertNullStringTo=Null] DOMString name;
+
readonly attribute boolean specified;
+
attribute [ConvertNullStringTo=Null, ConvertNullToNullString, CustomSetter] DOMString value
setter raises(DOMException);
+#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT // Used for JavaScript iFrame src check.
+ attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString nodeValue
+ setter raises(DOMException);
+#endif
+
// DOM Level 2
readonly attribute Element ownerElement;
@@ -40,6 +47,11 @@ module core {
readonly attribute boolean isId;
+#if defined(LANGUAGE_JAVASCRIPT) && LANGUAGE_JAVASCRIPT // Used for JavaScript iFrame src check.
+ attribute [ConvertNullStringTo=Null, ConvertNullToNullString, Custom] DOMString textContent
+ setter raises(DOMException);
+#endif
+
// extensions
readonly attribute CSSStyleDeclaration style;
};
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list