[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198

abarth at webkit.org abarth at webkit.org
Mon Feb 21 00:18:56 UTC 2011 

The following commit has been merged in the webkit-1.3 branch:
commit d8984fa2224587ec0ddd720172d2b6c6e8616df8
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Sat Jan 29 09:19:21 2011 +0000

    2011-01-29  Adam Barth  <abarth at webkit.org>
    
            Reviewed by Daniel Bates.
    
            XSSFilter should pass xssAuditor/script-tag-with-source-same-host.html
            and xssAuditor/script-tag-post-*
            https://bugs.webkit.org/show_bug.cgi?id=53364
    
            We're supposed to allow loading same-origin resources even if they
            appear as part of the request.
    
            Also, we're supposed to look at the POST data too.  :)
    
            * html/parser/XSSFilter.cpp:
            (WebCore::XSSFilter::eraseAttributeIfInjected):
            (WebCore::XSSFilter::isSameOriginResource):
                - Copy/paste from XSSAuditor::isSameOriginResource.  We'll
                  eventually remove the XSSAuditor version when XSSFilter is done.
            * html/parser/XSSFilter.h:
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77058 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index f2930eb..6c51553 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -2,6 +2,26 @@
 
         Reviewed by Daniel Bates.
 
+        XSSFilter should pass xssAuditor/script-tag-with-source-same-host.html
+        and xssAuditor/script-tag-post-*
+        https://bugs.webkit.org/show_bug.cgi?id=53364
+
+        We're supposed to allow loading same-origin resources even if they
+        appear as part of the request.
+
+        Also, we're supposed to look at the POST data too.  :)
+
+        * html/parser/XSSFilter.cpp:
+        (WebCore::XSSFilter::eraseAttributeIfInjected):
+        (WebCore::XSSFilter::isSameOriginResource):
+            - Copy/paste from XSSAuditor::isSameOriginResource.  We'll
+              eventually remove the XSSAuditor version when XSSFilter is done.
+        * html/parser/XSSFilter.h:
+
+2011-01-29  Adam Barth  <abarth at webkit.org>
+
+        Reviewed by Daniel Bates.
+
         XSSFilter should pass 16 of the xssAuditor/script-tag* tests
         https://bugs.webkit.org/show_bug.cgi?id=53362
 
diff --git a/Source/WebCore/html/parser/XSSFilter.cpp b/Source/WebCore/html/parser/XSSFilter.cpp
index f43cf0e..743c8b9 100644
--- a/Source/WebCore/html/parser/XSSFilter.cpp
+++ b/Source/WebCore/html/parser/XSSFilter.cpp
@@ -27,6 +27,7 @@
 #include "XSSFilter.h"
 
 #include "Document.h"
+#include "DocumentLoader.h"
 #include "Frame.h"
 #include "HTMLDocumentParser.h"
 #include "HTMLNames.h"
@@ -93,6 +94,28 @@ XSSFilter::XSSFilter(HTMLDocumentParser* parser)
         if (Settings* settings = frame->settings())
             m_isEnabled = settings->xssAuditorEnabled();
     }
+    // Although tempting to call init() at this point, the various objects
+    // we want to reference might not all have been constructed yet.
+}
+
+void XSSFilter::init()
+{
+    ASSERT(m_isEnabled);
+
+    const TextEncoding& encoding = m_parser->document()->decoder()->encoding();
+    String url = m_parser->document()->url().string();
+    m_decodedURL = decodeURL(url, encoding);
+
+    // In theory, the Document could have detached from the Frame after the
+    // XSSFilter was constructed.
+    if (!m_parser->document()->frame())
+        return;
+
+    if (DocumentLoader* documentLoader = m_parser->document()->frame()->loader()->documentLoader()) {
+        FormData* httpBody = documentLoader->originalRequest().httpBody();
+        if (httpBody && !httpBody->isEmpty())
+            m_decodedHTTPBody = decodeURL(httpBody->flattenToString(), encoding);
+    }
 }
 
 void XSSFilter::filterToken(HTMLToken& token)
@@ -104,6 +127,9 @@ void XSSFilter::filterToken(HTMLToken& token)
     if (!m_isEnabled)
         return;
 
+    if (m_decodedURL.isEmpty())
+        init();
+
     bool didBlockScript = false;
 
     switch (m_state) {
@@ -269,6 +295,8 @@ bool XSSFilter::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName&
     if (findAttributeWithName(token, attributeName, indexOfAttribute)) {
         const HTMLToken::Attribute& attribute = token.attributes().at(indexOfAttribute);
         if (isContainedInRequest(snippetForAttribute(token, attribute))) {
+            if (attributeName == srcAttr && isSameOriginResource(String(attribute.m_value.data(), attribute.m_value.size())))
+                return false;
             token.eraseValueOfAttribute(indexOfAttribute);
             if (!replacementValue.isEmpty())
                 token.appendToAttributeValue(indexOfAttribute, replacementValue);
@@ -296,12 +324,19 @@ String XSSFilter::snippetForAttribute(const HTMLToken& token, const HTMLToken::A
 
 bool XSSFilter::isContainedInRequest(const String& snippet)
 {
-    String url = m_parser->document()->url().string();
-    String decodedURL = decodeURL(url, m_parser->document()->decoder()->encoding());
-    if (decodedURL.find(snippet, 0, false) != notFound)
-        return true; // We've found the string in the GET data.
-    // FIXME: Look in form data.
-    return false;
+    return m_decodedURL.find(snippet, 0, false) != notFound || m_decodedHTTPBody.find(snippet, 0, false) != notFound;
+}
+
+bool XSSFilter::isSameOriginResource(const String& url)
+{
+    // If the resource is loaded from the same URL as the enclosing page, it's
+    // probably not an XSS attack, so we reduce false positives by allowing the
+    // request. If the resource has a query string, we're more suspicious,
+    // however, because that's pretty rare and the attacker might be able to
+    // trick a server-side script into doing something dangerous with the query
+    // string.
+    KURL resourceURL(m_parser->document()->url(), url);
+    return (m_parser->document()->url().host() == resourceURL.host() && resourceURL.query().isEmpty());
 }
 
 }
diff --git a/Source/WebCore/html/parser/XSSFilter.h b/Source/WebCore/html/parser/XSSFilter.h
index b7fb4df..908ca84 100644
--- a/Source/WebCore/html/parser/XSSFilter.h
+++ b/Source/WebCore/html/parser/XSSFilter.h
@@ -45,6 +45,8 @@ private:
         AfterScriptStartTag,
     };
 
+    void init();
+
     bool filterTokenInitial(HTMLToken&);
     bool filterTokenAfterScriptStartTag(HTMLToken&);
 
@@ -62,9 +64,14 @@ private:
     String snippetForAttribute(const HTMLToken&, const HTMLToken::Attribute&);
 
     bool isContainedInRequest(const String&);
+    bool isSameOriginResource(const String& url);
 
     HTMLDocumentParser* m_parser;
     bool m_isEnabled;
+
+    String m_decodedURL;
+    String m_decodedHTTPBody;
+
     State m_state;
     String m_cachedSnippet;
 };

-- 
WebKit Debian packaging

More information about the Pkg-webkit-commits mailing list