[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
abarth at webkit.org
abarth at webkit.org
Mon Feb 21 00:19:02 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit 18c14eef8ceeff5a501f6066fb67c7fb9a517d9a
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Jan 29 09:20:44 2011 +0000
2011-01-29 Adam Barth <abarth at webkit.org>
Reviewed by Daniel Bates.
XSSFilter should pass xssAuditor/script-tag-addslashes*
https://bugs.webkit.org/show_bug.cgi?id=53365
We need to canonicalize strings to avoid being tricked by addslashes.
* html/parser/XSSFilter.cpp:
(WebCore::HTMLNames::isNonCanonicalCharacter):
- This function is copied from the XSSAuditor (with some tweaks).
We'll eventually remove the XSSAuditor once we've got XSSFilter
working properly.
(WebCore::HTMLNames::canonicalize):
(WebCore::HTMLNames::decodeURL):
(WebCore::XSSFilter::isContainedInRequest):
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77059 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 6c51553..90b3c21 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -2,6 +2,24 @@
Reviewed by Daniel Bates.
+ XSSFilter should pass xssAuditor/script-tag-addslashes*
+ https://bugs.webkit.org/show_bug.cgi?id=53365
+
+ We need to canonicalize strings to avoid being tricked by addslashes.
+
+ * html/parser/XSSFilter.cpp:
+ (WebCore::HTMLNames::isNonCanonicalCharacter):
+ - This function is copied from the XSSAuditor (with some tweaks).
+ We'll eventually remove the XSSAuditor once we've got XSSFilter
+ working properly.
+ (WebCore::HTMLNames::canonicalize):
+ (WebCore::HTMLNames::decodeURL):
+ (WebCore::XSSFilter::isContainedInRequest):
+
+2011-01-29 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Daniel Bates.
+
XSSFilter should pass xssAuditor/script-tag-with-source-same-host.html
and xssAuditor/script-tag-post-*
https://bugs.webkit.org/show_bug.cgi?id=53364
diff --git a/Source/WebCore/html/parser/XSSFilter.cpp b/Source/WebCore/html/parser/XSSFilter.cpp
index 743c8b9..d108552 100644
--- a/Source/WebCore/html/parser/XSSFilter.cpp
+++ b/Source/WebCore/html/parser/XSSFilter.cpp
@@ -45,6 +45,23 @@ using namespace HTMLNames;
namespace {
+bool isNonCanonicalCharacter(UChar c)
+{
+ // We remove all non-ASCII characters, including non-printable ASCII characters.
+ //
+ // Note, we don't remove backslashes like PHP stripslashes(), which among other things converts "\\0" to the \0 character.
+ // Instead, we remove backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0"). However, this has the
+ // adverse effect that we remove any legitimate zeros from a string.
+ //
+ // For instance: new String("http://localhost:8000") => new String("http://localhost:8").
+ return (c == '\\' || c == '0' || c == '\0' || c >= 127);
+}
+
+String canonicalize(const String& string)
+{
+ return string.removeCharacters(&isNonCanonicalCharacter);
+}
+
bool hasName(const HTMLToken& token, const QualifiedName& name)
{
return equalIgnoringNullity(token.name(), static_cast<const String&>(name.localName()));
@@ -78,8 +95,8 @@ String decodeURL(const String& string, const TextEncoding& encoding)
String decodedString = encoding.decode(workingStringUTF8.data(), workingStringUTF8.length());
// FIXME: Is this check necessary?
if (decodedString.isEmpty())
- return workingString;
- return decodedString;
+ return canonicalize(workingString);
+ return canonicalize(decodedString);
}
}
@@ -324,7 +341,9 @@ String XSSFilter::snippetForAttribute(const HTMLToken& token, const HTMLToken::A
bool XSSFilter::isContainedInRequest(const String& snippet)
{
- return m_decodedURL.find(snippet, 0, false) != notFound || m_decodedHTTPBody.find(snippet, 0, false) != notFound;
+ String canonicalizedSnippet = canonicalize(snippet);
+ return m_decodedURL.find(canonicalizedSnippet, 0, false) != notFound
+ || m_decodedHTTPBody.find(canonicalizedSnippet, 0, false) != notFound;
}
bool XSSFilter::isSameOriginResource(const String& url)
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list