[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

abarth at webkit.org abarth at webkit.org
Mon Feb 21 00:19:02 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit 18c14eef8ceeff5a501f6066fb67c7fb9a517d9a
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sat Jan 29 09:20:44 2011 +0000

    2011-01-29  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Daniel Bates.
    
            XSSFilter should pass xssAuditor/script-tag-addslashes*
            https://bugs.webkit.org/show_bug.cgi?id=53365
    
            We need to canonicalize strings to avoid being tricked by addslashes.
    
            * html/parser/XSSFilter.cpp:
            (WebCore::HTMLNames::isNonCanonicalCharacter):
                - This function is copied from the XSSAuditor (with some tweaks).
                  We'll eventually remove the XSSAuditor once we've got XSSFilter
                  working properly.
            (WebCore::HTMLNames::canonicalize):
            (WebCore::HTMLNames::decodeURL):
            (WebCore::XSSFilter::isContainedInRequest):
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77059 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 6c51553..90b3c21 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -2,6 +2,24 @@
 
         Reviewed by Daniel Bates.
 
+        XSSFilter should pass xssAuditor/script-tag-addslashes*
+        https://bugs.webkit.org/show_bug.cgi?id=53365
+
+        We need to canonicalize strings to avoid being tricked by addslashes.
+
+        * html/parser/XSSFilter.cpp:
+        (WebCore::HTMLNames::isNonCanonicalCharacter):
+            - This function is copied from the XSSAuditor (with some tweaks).
+              We'll eventually remove the XSSAuditor once we've got XSSFilter
+              working properly.
+        (WebCore::HTMLNames::canonicalize):
+        (WebCore::HTMLNames::decodeURL):
+        (WebCore::XSSFilter::isContainedInRequest):
+
+2011-01-29  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Daniel Bates.
+
         XSSFilter should pass xssAuditor/script-tag-with-source-same-host.html
         and xssAuditor/script-tag-post-*
         https://bugs.webkit.org/show_bug.cgi?id=53364
diff --git a/Source/WebCore/html/parser/XSSFilter.cpp b/Source/WebCore/html/parser/XSSFilter.cpp
index 743c8b9..d108552 100644
--- a/Source/WebCore/html/parser/XSSFilter.cpp
+++ b/Source/WebCore/html/parser/XSSFilter.cpp
@@ -45,6 +45,23 @@ using namespace HTMLNames;
 
 namespace {
 
+bool isNonCanonicalCharacter(UChar c)
+{
+    // We remove all non-ASCII characters, including non-printable ASCII characters.
+    //
+    // Note, we don't remove backslashes like PHP stripslashes(), which among other things converts "\\0" to the \0 character.
+    // Instead, we remove backslashes and zeros (since the string "\\0" =(remove backslashes)=> "0"). However, this has the 
+    // adverse effect that we remove any legitimate zeros from a string.
+    //
+    // For instance: new String("http://localhost:8000") => new String("http://localhost:8").
+    return (c == '\\' || c == '0' || c == '\0' || c >= 127);
+}
+
+String canonicalize(const String& string)
+{
+    return string.removeCharacters(&isNonCanonicalCharacter);
+}
+
 bool hasName(const HTMLToken& token, const QualifiedName& name)
 {
     return equalIgnoringNullity(token.name(), static_cast<const String&>(name.localName()));
@@ -78,8 +95,8 @@ String decodeURL(const String& string, const TextEncoding& encoding)
     String decodedString = encoding.decode(workingStringUTF8.data(), workingStringUTF8.length());
     // FIXME: Is this check necessary?
     if (decodedString.isEmpty())
-        return workingString;
-    return decodedString;
+        return canonicalize(workingString);
+    return canonicalize(decodedString);
 }
 
 }
@@ -324,7 +341,9 @@ String XSSFilter::snippetForAttribute(const HTMLToken& token, const HTMLToken::A
 
 bool XSSFilter::isContainedInRequest(const String& snippet)
 {
-    return m_decodedURL.find(snippet, 0, false) != notFound || m_decodedHTTPBody.find(snippet, 0, false) != notFound;
+    String canonicalizedSnippet = canonicalize(snippet);
+    return m_decodedURL.find(canonicalizedSnippet, 0, false) != notFound
+        || m_decodedHTTPBody.find(canonicalizedSnippet, 0, false) != notFound;
 }
 
 bool XSSFilter::isSameOriginResource(const String& url)

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list