[SCM] WebKit Debian packaging branch, webkit-1.3, updated. upstream/1.3.7-4207-g178b198
abarth at webkit.org
abarth at webkit.org
Mon Feb 21 00:18:56 UTC 2011
The following commit has been merged in the webkit-1.3 branch:
commit d8984fa2224587ec0ddd720172d2b6c6e8616df8
Author: abarth at webkit.org <abarth at webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date: Sat Jan 29 09:19:21 2011 +0000
2011-01-29 Adam Barth <abarth at webkit.org>
Reviewed by Daniel Bates.
XSSFilter should pass xssAuditor/script-tag-with-source-same-host.html
and xssAuditor/script-tag-post-*
https://bugs.webkit.org/show_bug.cgi?id=53364
We're supposed to allow loading same-origin resources even if they
appear as part of the request.
Also, we're supposed to look at the POST data too. :)
* html/parser/XSSFilter.cpp:
(WebCore::XSSFilter::eraseAttributeIfInjected):
(WebCore::XSSFilter::isSameOriginResource):
- Copy/paste from XSSAuditor::isSameOriginResource. We'll
eventually remove the XSSAuditor version when XSSFilter is done.
* html/parser/XSSFilter.h:
git-svn-id: http://svn.webkit.org/repository/webkit/trunk@77058 268f45cc-cd09-0410-ab3c-d52691b4dbfc
diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index f2930eb..6c51553 100644
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -2,6 +2,26 @@
Reviewed by Daniel Bates.
+ XSSFilter should pass xssAuditor/script-tag-with-source-same-host.html
+ and xssAuditor/script-tag-post-*
+ https://bugs.webkit.org/show_bug.cgi?id=53364
+
+ We're supposed to allow loading same-origin resources even if they
+ appear as part of the request.
+
+ Also, we're supposed to look at the POST data too. :)
+
+ * html/parser/XSSFilter.cpp:
+ (WebCore::XSSFilter::eraseAttributeIfInjected):
+ (WebCore::XSSFilter::isSameOriginResource):
+ - Copy/paste from XSSAuditor::isSameOriginResource. We'll
+ eventually remove the XSSAuditor version when XSSFilter is done.
+ * html/parser/XSSFilter.h:
+
+2011-01-29 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Daniel Bates.
+
XSSFilter should pass 16 of the xssAuditor/script-tag* tests
https://bugs.webkit.org/show_bug.cgi?id=53362
diff --git a/Source/WebCore/html/parser/XSSFilter.cpp b/Source/WebCore/html/parser/XSSFilter.cpp
index f43cf0e..743c8b9 100644
--- a/Source/WebCore/html/parser/XSSFilter.cpp
+++ b/Source/WebCore/html/parser/XSSFilter.cpp
@@ -27,6 +27,7 @@
#include "XSSFilter.h"
#include "Document.h"
+#include "DocumentLoader.h"
#include "Frame.h"
#include "HTMLDocumentParser.h"
#include "HTMLNames.h"
@@ -93,6 +94,28 @@ XSSFilter::XSSFilter(HTMLDocumentParser* parser)
if (Settings* settings = frame->settings())
m_isEnabled = settings->xssAuditorEnabled();
}
+ // Although tempting to call init() at this point, the various objects
+ // we want to reference might not all have been constructed yet.
+}
+
+void XSSFilter::init()
+{
+ ASSERT(m_isEnabled);
+
+ const TextEncoding& encoding = m_parser->document()->decoder()->encoding();
+ String url = m_parser->document()->url().string();
+ m_decodedURL = decodeURL(url, encoding);
+
+ // In theory, the Document could have detached from the Frame after the
+ // XSSFilter was constructed.
+ if (!m_parser->document()->frame())
+ return;
+
+ if (DocumentLoader* documentLoader = m_parser->document()->frame()->loader()->documentLoader()) {
+ FormData* httpBody = documentLoader->originalRequest().httpBody();
+ if (httpBody && !httpBody->isEmpty())
+ m_decodedHTTPBody = decodeURL(httpBody->flattenToString(), encoding);
+ }
}
void XSSFilter::filterToken(HTMLToken& token)
@@ -104,6 +127,9 @@ void XSSFilter::filterToken(HTMLToken& token)
if (!m_isEnabled)
return;
+ if (m_decodedURL.isEmpty())
+ init();
+
bool didBlockScript = false;
switch (m_state) {
@@ -269,6 +295,8 @@ bool XSSFilter::eraseAttributeIfInjected(HTMLToken& token, const QualifiedName&
if (findAttributeWithName(token, attributeName, indexOfAttribute)) {
const HTMLToken::Attribute& attribute = token.attributes().at(indexOfAttribute);
if (isContainedInRequest(snippetForAttribute(token, attribute))) {
+ if (attributeName == srcAttr && isSameOriginResource(String(attribute.m_value.data(), attribute.m_value.size())))
+ return false;
token.eraseValueOfAttribute(indexOfAttribute);
if (!replacementValue.isEmpty())
token.appendToAttributeValue(indexOfAttribute, replacementValue);
@@ -296,12 +324,19 @@ String XSSFilter::snippetForAttribute(const HTMLToken& token, const HTMLToken::A
bool XSSFilter::isContainedInRequest(const String& snippet)
{
- String url = m_parser->document()->url().string();
- String decodedURL = decodeURL(url, m_parser->document()->decoder()->encoding());
- if (decodedURL.find(snippet, 0, false) != notFound)
- return true; // We've found the string in the GET data.
- // FIXME: Look in form data.
- return false;
+ return m_decodedURL.find(snippet, 0, false) != notFound || m_decodedHTTPBody.find(snippet, 0, false) != notFound;
+}
+
+bool XSSFilter::isSameOriginResource(const String& url)
+{
+ // If the resource is loaded from the same URL as the enclosing page, it's
+ // probably not an XSS attack, so we reduce false positives by allowing the
+ // request. If the resource has a query string, we're more suspicious,
+ // however, because that's pretty rare and the attacker might be able to
+ // trick a server-side script into doing something dangerous with the query
+ // string.
+ KURL resourceURL(m_parser->document()->url(), url);
+ return (m_parser->document()->url().host() == resourceURL.host() && resourceURL.query().isEmpty());
}
}
diff --git a/Source/WebCore/html/parser/XSSFilter.h b/Source/WebCore/html/parser/XSSFilter.h
index b7fb4df..908ca84 100644
--- a/Source/WebCore/html/parser/XSSFilter.h
+++ b/Source/WebCore/html/parser/XSSFilter.h
@@ -45,6 +45,8 @@ private:
AfterScriptStartTag,
};
+ void init();
+
bool filterTokenInitial(HTMLToken&);
bool filterTokenAfterScriptStartTag(HTMLToken&);
@@ -62,9 +64,14 @@ private:
String snippetForAttribute(const HTMLToken&, const HTMLToken::Attribute&);
bool isContainedInRequest(const String&);
+ bool isSameOriginResource(const String& url);
HTMLDocumentParser* m_parser;
bool m_isEnabled;
+
+ String m_decodedURL;
+ String m_decodedHTTPBody;
+
State m_state;
String m_cachedSnippet;
};
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list