152871 2016-01-07 17:00:58 -0800 [XSS Auditor] Add test when XSS payload is in the path portion of the URL 2016-01-13 13:18:57 -0800 1 1 1 Unclassified WebKit WebCore Misc. WebKit Local Build All All RESOLVED FIXED BlinkMergeCandidate, XSSAuditor P2 Normal --- 1 dbates dbates commit-queue glenn oldest_to_newest 1153685 0 dbates 2016-01-07 17:00:58 -0800 Blink Issue: <https://code.google.com/p/chromium/issues/detail?id=330972> 1153686 1 268509 dbates 2016-01-07 17:01:57 -0800 Created attachment 268509 Patch 1155188 2 268509 bfulgham 2016-01-13 12:55:46 -0800 Comment on attachment 268509 Patch r=me 1155201 3 268509 commit-queue 2016-01-13 13:18:55 -0800 Comment on attachment 268509 Patch Clearing flags on attachment: 268509 Committed r194978: <http://trac.webkit.org/changeset/194978> 1155202 4 commit-queue 2016-01-13 13:18:57 -0800 All reviewed patches have been landed. Closing bug. 268509 2016-01-07 17:01:57 -0800 2016-01-13 13:18:55 -0800 Patch bug-152871-20160107170125.patch text/plain 6479 dbates U3VidmVyc2lvbiBSZXZpc2lvbjogMTk0NzQwCmRpZmYgLS1naXQgYS9Ub29scy9DaGFuZ2VMb2cg Yi9Ub29scy9DaGFuZ2VMb2cKaW5kZXggODdiMzVmMjM4MWQ1ZTgxMjg5ZWFhZGE3ZTdhY2I5MTVl ZTgwYzdhMC4uYzFlNmFhNTJjYzVlOWIxM2E4ZmRkZDZiNGMxODE2NGE1NmMxYjMxYSAxMDA2NDQK LS0tIGEvVG9vbHMvQ2hhbmdlTG9nCisrKyBiL1Rvb2xzL0NoYW5nZUxvZwpAQCAtMSwzICsxLDE1 IEBACisyMDE2LTAxLTA3ICBEYW5pZWwgQmF0ZXMgIDxkYWJhdGVzQGFwcGxlLmNvbT4KKworICAg ICAgICBbWFNTIEF1ZGl0b3JdIEFkZCB0ZXN0IHdoZW4gWFNTIHBheWxvYWQgaXMgaW4gdGhlIHBh dGggcG9ydGlvbiBvZiB0aGUgVVJMCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3No b3dfYnVnLmNnaT9pZD0xNTI4NzEKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMh KS4KKworICAgICAgICBNZXJnZWQgZnJvbSBCbGluayAocGF0Y2ggYnkgVG9tIFNlcGV6IDx0c2Vw ZXpAY2hyb21pdW0ub3JnPik6CisgICAgICAgIDxodHRwczovL3NyYy5jaHJvbWl1bS5vcmcvdmll d3ZjL2JsaW5rP3JldmlzaW9uPTE2NDc0NiZ2aWV3PXJldmlzaW9uPgorCisgICAgICAgICogU2Ny aXB0cy93ZWJraXRweS9sYXlvdXRfdGVzdHMvc2VydmVycy9saWdodHRwZC5jb25mOgorCiAyMDE2 LTAxLTA3ICBBbGV4ZXkgUHJvc2t1cnlha292ICA8YXBAYXBwbGUuY29tPgogCiAgICAgICAgIHRl c3RSdW5uZXIucnVuVUlTY3JpcHQgY3Jhc2hlcyB3aGlsZSBydW5uaW5nIG11bHRpcGxlIHRlc3Rz IGluIGEgcm93IHRoYXQgaW52b2tlcyB0aGUgc2FtZSBVSVNjcmlwdApkaWZmIC0tZ2l0IGEvVG9v bHMvU2NyaXB0cy93ZWJraXRweS9sYXlvdXRfdGVzdHMvc2VydmVycy9saWdodHRwZC5jb25mIGIv VG9vbHMvU2NyaXB0cy93ZWJraXRweS9sYXlvdXRfdGVzdHMvc2VydmVycy9saWdodHRwZC5jb25m CmluZGV4IDQzNjBjMzdkOWQ4MTIyN2E2MWEzMGUzNmYzZWM4NzBjZGFmNzJhZmQuLjVhYzRhMjYz MzFhNDYwZjg1NWExNGUwYjk5NGU5ZTkxMDVlNjY4ZjYgMTAwNjQ0Ci0tLSBhL1Rvb2xzL1Njcmlw dHMvd2Via2l0cHkvbGF5b3V0X3Rlc3RzL3NlcnZlcnMvbGlnaHR0cGQuY29uZgorKysgYi9Ub29s cy9TY3JpcHRzL3dlYmtpdHB5L2xheW91dF90ZXN0cy9zZXJ2ZXJzL2xpZ2h0dHBkLmNvbmYKQEAg LTY1LDcgKzY1LDggQEAgZGlyLWxpc3RpbmcuYWN0aXZhdGUgICAgICAgID0gImVuYWJsZSIKICMg TGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9hcHBjYWNoZS9yZXNvdXJjZXMvaW50ZXJjZXB0Ly5odGFj Y2VzcwogdXJsLnJld3JpdGUtb25jZSA9ICgKICAgIl4vdXJpL2ludGVyY2VwdC8oLiopIiA9PiAi L3VyaS9yZXNvdXJjZXMvcHJpbnQtdXJpLnBocCIsCi0gICJeL2FwcGNhY2hlL3Jlc291cmNlcy9p bnRlcmNlcHQvKC4qKSIgPT4gIi9hcHBjYWNoZS9yZXNvdXJjZXMvcHJpbnQtdXJpLnBocCIKKyAg Il4vYXBwY2FjaGUvcmVzb3VyY2VzL2ludGVyY2VwdC8oLiopIiA9PiAiL2FwcGNhY2hlL3Jlc291 cmNlcy9wcmludC11cmkucGhwIiwKKyAgIl4vc2VjdXJpdHkveHNzQXVkaXRvci9pbnRlcmNlcHQv KFteL10qKS8oLiopIiA9PiAiL3NlY3VyaXR5L3hzc0F1ZGl0b3IvcmVzb3VyY2VzLyQxP3E9JDIi CiApCiAKICMgTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy94bWxodHRwcmVxdWVzdC9yZXNwb25zZS1l bmNvZGluZy5odG1sIHVzZXMgYW4gaHRhY2Nlc3MKZGlmZiAtLWdpdCBhL0xheW91dFRlc3RzL0No YW5nZUxvZyBiL0xheW91dFRlc3RzL0NoYW5nZUxvZwppbmRleCBlYTdlM2Y2ZDM4ZmU5YjUzNDI4 NjQzYTFmYWJjZjMyMTRmNGQ0NzI1Li4xNmNiYjg2YWRjZTJmNTE1MWViNjM4MzJlODQwYzZhNDBk ZWM0OWY3IDEwMDY0NAotLS0gYS9MYXlvdXRUZXN0cy9DaGFuZ2VMb2cKKysrIGIvTGF5b3V0VGVz dHMvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMzEgQEAKKzIwMTYtMDEtMDcgIERhbmllbCBCYXRlcyAg PGRhYmF0ZXNAYXBwbGUuY29tPgorCisgICAgICAgIFtYU1MgQXVkaXRvcl0gQWRkIHRlc3Qgd2hl biBYU1MgcGF5bG9hZCBpcyBpbiB0aGUgcGF0aCBwb3J0aW9uIG9mIHRoZSBVUkwKKyAgICAgICAg aHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19idWcuY2dpP2lkPTE1Mjg3MQorCisgICAgICAg IFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAgIE1lcmdlZCBmcm9tIEJsaW5r IChwYXRjaCBieSBUb20gU2VwZXogPHRzZXBlekBjaHJvbWl1bS5vcmc+KToKKyAgICAgICAgPGh0 dHBzOi8vc3JjLmNocm9taXVtLm9yZy92aWV3dmMvYmxpbms/cmV2aXNpb249MTY0NzQ2JnZpZXc9 cmV2aXNpb24+CisKKyAgICAgICAgQWRkIGluZnJhc3RydWN0dXJlIGFuZCBhIHRlc3QgZm9yIGFu IFhTUyBhdHRhY2sgd2hlcmUgdGhlIHBheWxvYWQgaXMKKyAgICAgICAgZW1iZWRkZWQgaW4gdGhl IHBhdGggcG9ydGlvbiBvZiB0aGUgVVJMLgorCisgICAgICAgIE1hbnkgWFNTIEF1ZGl0b3IgdGVz dHMgcGFzcyB0aGUgWFNTIHBheWxvYWQgdG8gQ0dJIHNjcmlwdHMgdmlhIHRoZQorICAgICAgICBx dWVyeSBzdHJpbmcgcG9ydGlvbiBvZiB0aGUgVVJMLiBOb3cgd2UgYWxzbyBzdXBwb3J0IGNhbGxp bmcgdGhlc2UKKyAgICAgICAgc2FtZSBzY3JpcHRzIHdpdGggdGhlIHBheWxvYWQgZW1iZWRkZWQg aW4gdGhlIHBhdGggcG9ydGlvbiBvZiB0aGUKKyAgICAgICAgVVJMLgorCisgICAgICAgIExvYWRp bmcgPGh0dHA6Ly8xMjcuMC4wLjE6ODAwMC9zZWN1cml0eS94c3NBdWRpdG9yL2ludGVyY2VwdC9Y L1k+CisgICAgICAgIHJldHVybnMgYSByZXNwb25zZSB3aG9zZSBjb250ZW50IGlzIGlkZW50aWNh bCB0byA8aHR0cDovLzEyNy4wLjAuMTo4MDAwL3NlY3VyaXR5L3hzc0F1ZGl0b3IvcmVzb3VyZXMv WD9xPVk+LAorICAgICAgICB3aGVyZSBYIGlzIHRoZSBmaWxlbmFtZSBvZiBzb21lIENHSSBzY3Jp cHQgaW4gZGlyZWN0b3J5IExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRv ci9yZXNvdXJjZXMKKyAgICAgICAgYW5kIFkgaXMgdGhlIFhTUyBwYXlsb2FkLgorCisgICAgICAg ICogaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL2ludGVyY2VwdC8uaHRhY2Nlc3M6IEFk ZGVkLgorICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9yZWZsZWN0aW9u LWluLXBhdGgtZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3Vy aXR5L3hzc0F1ZGl0b3IvcmVmbGVjdGlvbi1pbi1wYXRoLmh0bWw6IEFkZGVkLgorICAgICAgICAq IGh0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9yZXNvdXJjZXMvZWNoby1mb3JtLWFjdGlv bi5wbDogQWRkZWQuCisKIDIwMTYtMDEtMDcgIEFsZXhleSBQcm9za3VyeWFrb3YgIDxhcEBhcHBs ZS5jb20+CiAKICAgICAgICAgQmV0dGVyIHRlc3QgZ2FyZGVuaW5nLiBPbmx5IHNraXAgdGhvc2Ug dGVzdHMgdGhhdCB1c2UgdG91Y2ggZXZlbnRzLCBub3QgdGhlIHdob2xlCmRpZmYgLS1naXQgYS9M YXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvaW50ZXJjZXB0Ly5odGFj Y2VzcyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9pbnRlcmNl cHQvLmh0YWNjZXNzCm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjg3NzA2MzA3OGQ1NDlhMTA1OTYyOTRjNmEyN2Y4MzUy ZjJmM2I5YzIKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3Vy aXR5L3hzc0F1ZGl0b3IvaW50ZXJjZXB0Ly5odGFjY2VzcwpAQCAtMCwwICsxLDIgQEAKK1Jld3Jp dGVFbmdpbmUgb24KK1Jld3JpdGVSdWxlIF4oLiopLyguKikgL3NlY3VyaXR5L3hzc0F1ZGl0b3Iv cmVzb3VyY2VzLyQxP3E9JDIgW0wsTlNdCmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9odHRwL3Rl c3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvcmVmbGVjdGlvbi1pbi1wYXRoLWV4cGVjdGVkLnR4dCBi L0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9yZWZsZWN0aW9uLWlu LXBhdGgtZXhwZWN0ZWQudHh0Cm5ldyBmaWxlIG1vZGUgMTAwNjQ0CmluZGV4IDAwMDAwMDAwMDAw MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLjUwYTk3MzY2ZTMwMGVjMzE4YzU2YWMxYjQy YmE4N2Y5YmI3YTg2YjgKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3Rz L3NlY3VyaXR5L3hzc0F1ZGl0b3IvcmVmbGVjdGlvbi1pbi1wYXRoLWV4cGVjdGVkLnR4dApAQCAt MCwwICsxLDkgQEAKK0NPTlNPTEUgTUVTU0FHRTogbGluZSA1OiBUaGUgWFNTIEF1ZGl0b3IgcmVm dXNlZCB0byBleGVjdXRlIGEgc2NyaXB0IGluICdodHRwOi8vbG9jYWxob3N0OjgwMDAvc2VjdXJp dHkveHNzQXVkaXRvci9pbnRlcmNlcHQvZWNoby1mb3JtLWFjdGlvbi5wbC8lMjIlMjBvbm1vdXNl b3Zlcj0lMjJKYXZhU2NyaXB0OmFsZXJ0KGRvY3VtZW50LmRvbWFpbiklMjIlMjBuYW1lPSUyMj9t PWxvZ2luJyBiZWNhdXNlIGl0cyBzb3VyY2UgY29kZSB3YXMgZm91bmQgd2l0aGluIHRoZSByZXF1 ZXN0LiBUaGUgYXVkaXRvciB3YXMgZW5hYmxlZCBhcyB0aGUgc2VydmVyIHNlbnQgbmVpdGhlciBh biAnWC1YU1MtUHJvdGVjdGlvbicgbm9yICdDb250ZW50LVNlY3VyaXR5LVBvbGljeScgaGVhZGVy LgorCisKKy0tLS0tLS0tCitGcmFtZTogJzwhLS1mcmFtZVBhdGggLy88IS0tZnJhbWUwLS0+LS0+ JworLS0tLS0tLS0KK1RoaXMgaXMgYW4gaWZyYW1lIHdpdGggYSBpbmplY3RlZCBmb3JtCisKKwpk aWZmIC0tZ2l0IGEvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3Jl ZmxlY3Rpb24taW4tcGF0aC5odG1sIGIvTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94 c3NBdWRpdG9yL3JlZmxlY3Rpb24taW4tcGF0aC5odG1sCm5ldyBmaWxlIG1vZGUgMTAwNjQ0Cmlu ZGV4IDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAuLmY4ODgwM2NiYzRi MTc0ZTU0NTQzNDU4YmI5ZmMwMjRhZDQ1OTg3ODkKLS0tIC9kZXYvbnVsbAorKysgYi9MYXlvdXRU ZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3IvcmVmbGVjdGlvbi1pbi1wYXRoLmh0 bWwKQEAgLTAsMCArMSwxNiBAQAorPCFET0NUWVBFIGh0bWw+Cis8aHRtbD4KKzxoZWFkPgorPHNj cmlwdD4KK2lmICh3aW5kb3cudGVzdFJ1bm5lcikgeworICAgIHRlc3RSdW5uZXIuZHVtcEFzVGV4 dCgpOworICAgIHRlc3RSdW5uZXIuZHVtcENoaWxkRnJhbWVzQXNUZXh0KCk7CisgICAgdGVzdFJ1 bm5lci5zZXRYU1NBdWRpdG9yRW5hYmxlZCh0cnVlKTsKKyAgICB0ZXN0UnVubmVyLndhaXRVbnRp bERvbmUoKTsKK30KKzwvc2NyaXB0PgorPC9oZWFkPgorPGJvZHk+Cis8aWZyYW1lIHNyYz0iaHR0 cDovL2xvY2FsaG9zdDo4MDAwL3NlY3VyaXR5L3hzc0F1ZGl0b3IvaW50ZXJjZXB0L2VjaG8tZm9y bS1hY3Rpb24ucGwvJTIyJTIwb25tb3VzZW92ZXI9JTIySmF2YVNjcmlwdDphbGVydChkb2N1bWVu dC5kb21haW4pJTIyJTIwbmFtZT0lMjI/bT1sb2dpbiI+PC9pZnJhbWU+Cis8L2JvZHk+Cis8L2h0 bWw+CmRpZmYgLS1naXQgYS9MYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0 b3IvcmVzb3VyY2VzL2VjaG8tZm9ybS1hY3Rpb24ucGwgYi9MYXlvdXRUZXN0cy9odHRwL3Rlc3Rz L3NlY3VyaXR5L3hzc0F1ZGl0b3IvcmVzb3VyY2VzL2VjaG8tZm9ybS1hY3Rpb24ucGwKbmV3IGZp bGUgbW9kZSAxMDA3NTUKaW5kZXggMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw MDAwMC4uY2UyYThmZWQyMzEwOGI3ZTc3YjBjNTcyNmI4ZDgzNTdjZTQ5YjQ1OQotLS0gL2Rldi9u dWxsCisrKyBiL0xheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9yZXNv dXJjZXMvZWNoby1mb3JtLWFjdGlvbi5wbApAQCAtMCwwICsxLDE2IEBACisjIS91c3IvYmluL3Bl cmwgLXdUCit1c2Ugc3RyaWN0OwordXNlIENHSTsKKworbXkgJGNnaSA9IG5ldyBDR0k7CisKK3By aW50ICJDb250ZW50LVR5cGU6IHRleHQvaHRtbDsgY2hhcnNldD1VVEYtOFxuXG4iOworCitwcmlu dCAiPCFET0NUWVBFIGh0bWw+XG4iOworcHJpbnQgIjxodG1sPlxuIjsKK3ByaW50ICI8Ym9keT5c biI7CitwcmludCAiPHA+VGhpcyBpcyBhbiBpZnJhbWUgd2l0aCBhIGluamVjdGVkIGZvcm08L3A+ XG4iOworcHJpbnQgIjxmb3JtIG1ldGhvZD1cInBvc3RcIiBpZD1cImxvZ2luXCIgYWN0aW9uPVwi Ii4kY2dpLT5wYXJhbSgncScpLiJcIj48L2Zvcm0+XG4iOworcHJpbnQgIjxzY3JpcHQ+aWYgKHdp bmRvdy50ZXN0UnVubmVyKSB0ZXN0UnVubmVyLm5vdGlmeURvbmUoKTs8L3NjcmlwdD5cbiI7Citw cmludCAiPC9ib2R5PlxuIjsKK3ByaW50ICI8L2h0bWw+XG4iOwo=