26899 2009-07-01 13:21:57 -0700 XSSAuditor shouldn't strip control characters 2009-07-01 18:36:18 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED FIXED https://xenon.stanford.edu/~collinj/test/ie8xss/xsstest.php?q=<script>alert(/XSS/)//h%01</script> P2 Normal --- 1 abarth webkit-unassigned dbates sam oldest_to_newest 129347 0 abarth 2009-07-01 13:21:57 -0700 Test case: https://xenon.stanford.edu/~collinj/test/ie8xss/xsstest.php?q=<script>alert(/XSS/)//h%01</script> 129428 1 32165 dbates 2009-07-01 17:35:09 -0700 Created attachment 32165 Patch with test Upon further investigation, we need to remove null characters, since the HTMLTokenizer does in processing scripts (i.e. the contents of <script>al\0ert(1)</script> becomes alert(1) by the time it is passed to XSSAuditor). Let me know if this change is better addressed in a separate bug. 129438 2 32165 abarth 2009-07-01 18:26:33 -0700 Comment on attachment 32165 Patch with test Great patch. Thanks. 129440 3 abarth 2009-07-01 18:36:18 -0700 Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/script-tag-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-null-char.html Sending WebCore/ChangeLog Sending WebCore/page/XSSAuditor.cpp Sending WebCore/page/XSSAuditor.h Sending WebCore/platform/network/ResourceResponseBase.cpp Sending WebCore/platform/network/ResourceResponseBase.h Transmitting file data .......... Committed revision 45461. 32165 2009-07-01 17:35:09 -0700 2009-07-01 18:26:33 -0700 Patch with test Bug26899.patch text/plain 7329 dbates SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvQ2hhbmdlTG9n CShyZXZpc2lvbiA0NTQ1NikKKysrIFdlYkNvcmUvQ2hhbmdlTG9nCSh3b3JraW5nIGNvcHkpCkBA IC0xLDMgKzEsMjQgQEAKKzIwMDktMDctMDEgIERhbmllbCBCYXRlcyAgPGRiYXRlc0BpbnR1ZGF0 YS5jb20+CisKKyAgICAgICAgUmV2aWV3ZWQgYnkgTk9CT0RZIChPT1BTISkuCisgICAgICAgIAor ICAgICAgICBodHRwczovL2J1Z3Mud2Via2l0Lm9yZy9zaG93X2J1Zy5jZ2k/aWQ9MjY4OTkKKyAg ICAgICAgCisgICAgICAgIE1vZGlmaWVkIFhTU0F1ZGl0b3I6OmRlY29kZVVSTCB0byBvbmx5IHJl bW92ZSBudWxsIGNoYXJhY3RlcnMgc28gdGhhdCAKKyAgICAgICAgaXQgaXMgY29uc2lzdGVudCB3 aXRoIHRoZSBiZWhhdmlvciBvZiBIVE1MVG9rZW5pemVyIGFuZCBwcmV2ZW50cyAKKyAgICAgICAg aW5qZWN0ZWQgc2NyaXB0cyB0aGF0IGNvbnRhaW4gY29udHJvbCBjaGFyYWN0ZXJzLiAKKworICAg ICAgICBUZXN0czogaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctY29u dHJvbC1jaGFyLmh0bWwKKyAgICAgICAgICAgICAgIGh0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVk aXRvci9zY3JpcHQtdGFnLW51bGwtY2hhci5odG1sCisKKyAgICAgICAgKiBwYWdlL1hTU0F1ZGl0 b3IuY3BwOgorICAgICAgICAoV2ViQ29yZTo6WFNTQXVkaXRvcjo6ZGVjb2RlVVJMKTogTW9kaWZp ZWQgdG8gb25seSByZW1vdmUgbnVsbCBjaGFyYWN0ZXJzLiAKKyAgICAgICAgKiBwYWdlL1hTU0F1 ZGl0b3IuaDogUmV2ZXJ0ZWQgbmFtaW5nIG9mIHRoaXJkIGFyZ3VtZW50IG9mIG1ldGhvZCBYU1NB dWRpdG9yOjpkZWNvZGVVUkwKKyAgICAgICAgZnJvbSBhbGxvd0NvbnRyb2xDaGFyYWN0ZXJzIGJh Y2sgdG8gYWxsb3dOdWxsQ2hhcmFjdGVycy4KKyAgICAgICAgKiBwbGF0Zm9ybS9uZXR3b3JrL1Jl c291cmNlUmVzcG9uc2VCYXNlLmNwcDogUmV2ZXJ0ZWQgYmFjayB0byByZXYgIzQ1MDAzLgorICAg ICAgICAoV2ViQ29yZTo6aXNDb250cm9sQ2hhcmFjdGVyKToKKyAgICAgICAgKiBwbGF0Zm9ybS9u ZXR3b3JrL1Jlc291cmNlUmVzcG9uc2VCYXNlLmg6IFJldmVydGVkIGJhY2sgdG8gcmV2ICM0NTAw My4gIAorCiAyMDA5LTA3LTAxICBDaHJpcyBGbGVpemFjaCAgPGNmbGVpemFjaEBhcHBsZS5jb20+ CiAKICAgICAgICAgUmV2aWV3ZWQgYnkgT2xpdmVyIEh1bnQuCkluZGV4OiBXZWJDb3JlL3BhZ2Uv WFNTQXVkaXRvci5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9wYWdlL1hTU0F1ZGl0b3IuY3Bw CShyZXZpc2lvbiA0NTQ0NSkKKysrIFdlYkNvcmUvcGFnZS9YU1NBdWRpdG9yLmNwcAkod29ya2lu ZyBjb3B5KQpAQCAtNDMsNyArNDMsNyBAQAogdXNpbmcgbmFtZXNwYWNlIFdURjsKIAogbmFtZXNw YWNlIFdlYkNvcmUgewotCisgICAgCiBYU1NBdWRpdG9yOjpYU1NBdWRpdG9yKEZyYW1lKiBmcmFt ZSkKICAgICA6IG1fZnJhbWUoZnJhbWUpCiB7CkBAIC0xMDYsMTggKzEwNiwxOCBAQCBib29sIFhT U0F1ZGl0b3I6OmNhbkxvYWRPYmplY3QoY29uc3QgU3RyCiAgICAgcmV0dXJuIHRydWU7CiB9CiAK LVN0cmluZyBYU1NBdWRpdG9yOjpkZWNvZGVVUkwoY29uc3QgU3RyaW5nJiBzdHIsIGNvbnN0IFRl eHRFbmNvZGluZyYgZW5jb2RpbmcsIGJvb2wgYWxsb3dDb250cm9sQ2hhcmFjdGVycykKK1N0cmlu ZyBYU1NBdWRpdG9yOjpkZWNvZGVVUkwoY29uc3QgU3RyaW5nJiBzdHIsIGNvbnN0IFRleHRFbmNv ZGluZyYgZW5jb2RpbmcsIGJvb2wgYWxsb3dOdWxsQ2hhcmFjdGVycykKIHsKICAgICBTdHJpbmcg cmVzdWx0OwogICAgIFN0cmluZyB1cmwgPSBzdHI7CiAKICAgICB1cmwucmVwbGFjZSgnKycsICcg Jyk7CiAgICAgcmVzdWx0ID0gZGVjb2RlVVJMRXNjYXBlU2VxdWVuY2VzKHVybCk7Ci0gICAgaWYg KCFhbGxvd0NvbnRyb2xDaGFyYWN0ZXJzKQotICAgICAgICByZXN1bHQucmVtb3ZlQ2hhcmFjdGVy cygmaXNDb250cm9sQ2hhcmFjdGVyKTsKLSAgICByZXN1bHQgPSBlbmNvZGluZy5kZWNvZGUocmVz dWx0LnV0ZjgoKS5kYXRhKCksIHJlc3VsdC5sZW5ndGgoKSk7Ci0gICAgaWYgKCFhbGxvd0NvbnRy b2xDaGFyYWN0ZXJzKQotICAgICAgICByZXN1bHQucmVtb3ZlQ2hhcmFjdGVycygmaXNDb250cm9s Q2hhcmFjdGVyKTsKKyAgICBTdHJpbmcgZGVjb2RlZFJlc3VsdCA9IGVuY29kaW5nLmRlY29kZShy ZXN1bHQudXRmOCgpLmRhdGEoKSwgcmVzdWx0Lmxlbmd0aCgpKTsKKyAgICBpZiAoIWRlY29kZWRS ZXN1bHQuaXNFbXB0eSgpKQorICAgICAgICByZXN1bHQgPSBkZWNvZGVkUmVzdWx0OworICAgIGlm ICghYWxsb3dOdWxsQ2hhcmFjdGVycykKKyAgICAgICAgcmVzdWx0ID0gU3RyaW5nSW1wbDo6Y3Jl YXRlU3RyaXBwaW5nTnVsbENoYXJhY3RlcnMocmVzdWx0LmNoYXJhY3RlcnMoKSwgcmVzdWx0Lmxl bmd0aCgpKTsKICAgICByZXR1cm4gcmVzdWx0OwogfQogCkluZGV4OiBXZWJDb3JlL3BhZ2UvWFNT QXVkaXRvci5oCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT0KLS0tIFdlYkNvcmUvcGFnZS9YU1NBdWRpdG9yLmgJKHJldmlz aW9uIDQ1MzQyKQorKysgV2ViQ29yZS9wYWdlL1hTU0F1ZGl0b3IuaAkod29ya2luZyBjb3B5KQpA QCAtODksNyArODksNyBAQCBuYW1lc3BhY2UgV2ViQ29yZSB7CiAgICAgICAgIGJvb2wgY2FuTG9h ZE9iamVjdChjb25zdCBTdHJpbmcmIHVybCkgY29uc3Q7CiAKICAgICBwcml2YXRlOgotICAgICAg ICBzdGF0aWMgU3RyaW5nIGRlY29kZVVSTChjb25zdCBTdHJpbmcmIHVybCwgY29uc3QgVGV4dEVu Y29kaW5nJiBlbmNvZGluZyA9IFVURjhFbmNvZGluZygpLCBib29sIGFsbG93Q29udHJvbENoYXJh Y3RlcnMgPSBmYWxzZSk7CisgICAgICAgIHN0YXRpYyBTdHJpbmcgZGVjb2RlVVJMKGNvbnN0IFN0 cmluZyYgdXJsLCBjb25zdCBUZXh0RW5jb2RpbmcmIGVuY29kaW5nID0gVVRGOEVuY29kaW5nKCks IGJvb2wgYWxsb3dOdWxsQ2hhcmFjdGVycyA9IGZhbHNlKTsKIAogICAgICAgICBib29sIGZpbmRJ blJlcXVlc3QoY29uc3QgU3RyaW5nJikgY29uc3Q7CiAKSW5kZXg6IFdlYkNvcmUvcGxhdGZvcm0v bmV0d29yay9SZXNvdXJjZVJlc3BvbnNlQmFzZS5jcHAKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9w bGF0Zm9ybS9uZXR3b3JrL1Jlc291cmNlUmVzcG9uc2VCYXNlLmNwcAkocmV2aXNpb24gNDUzNDIp CisrKyBXZWJDb3JlL3BsYXRmb3JtL25ldHdvcmsvUmVzb3VyY2VSZXNwb25zZUJhc2UuY3BwCSh3 b3JraW5nIGNvcHkpCkBAIC01MDIsNyArNTAyLDcgQEAgc3RhdGljIGJvb2wgaXNDYWNoZUhlYWRl clNlcGFyYXRvcihVQ2hhcgogICAgIH0KIH0KIAotYm9vbCBpc0NvbnRyb2xDaGFyYWN0ZXIoVUNo YXIgYykKK3N0YXRpYyBib29sIGlzQ29udHJvbENoYXJhY3RlcihVQ2hhciBjKQogewogICAgIHJl dHVybiBjIDwgJyAnIHx8IGMgPT0gMTI3OwogfQpJbmRleDogV2ViQ29yZS9wbGF0Zm9ybS9uZXR3 b3JrL1Jlc291cmNlUmVzcG9uc2VCYXNlLmgKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gV2ViQ29yZS9wbGF0Zm9y bS9uZXR3b3JrL1Jlc291cmNlUmVzcG9uc2VCYXNlLmgJKHJldmlzaW9uIDQ1MzQyKQorKysgV2Vi Q29yZS9wbGF0Zm9ybS9uZXR3b3JrL1Jlc291cmNlUmVzcG9uc2VCYXNlLmgJKHdvcmtpbmcgY29w eSkKQEAgLTE2Miw4ICsxNjIsNiBAQCBzdHJ1Y3QgQ3Jvc3NUaHJlYWRSZXNvdXJjZVJlc3BvbnNl RGF0YSB7CiAgICAgdGltZV90IG1fbGFzdE1vZGlmaWVkRGF0ZTsKIH07CiAKLWJvb2wgaXNDb250 cm9sQ2hhcmFjdGVyKFVDaGFyIGMpOwotICAgIAogfSAvLyBuYW1lc3BhY2UgV2ViQ29yZQogCiAj ZW5kaWYgLy8gUmVzb3VyY2VSZXNwb25zZUJhc2VfaApJbmRleDogTGF5b3V0VGVzdHMvQ2hhbmdl TG9nCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT0KLS0tIExheW91dFRlc3RzL0NoYW5nZUxvZwkocmV2aXNpb24gNDU0NTYp CisrKyBMYXlvdXRUZXN0cy9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkKQEAgLTEsMyArMSwxNiBA QAorMjAwOS0wNy0wMSAgRGFuaWVsIEJhdGVzICA8ZGJhdGVzQGludHVkYXRhLmNvbT4KKworICAg ICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4KKyAgICAgICAgCisgICAgICAgIGh0dHBz Oi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yNjg5OQorICAgICAgICAKKyAgICAg ICAgVGVzdHMgdGhhdCBYU1NBdWRpdG9yIHByZXZlbnRzIGluamVjdGVkIHNjcmlwdHMgdGhhdCBj b250YWluIGNvbnRyb2wgY2hhcmFjdGVycy4KKworICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJp dHkveHNzQXVkaXRvci9zY3JpcHQtdGFnLWNvbnRyb2wtY2hhci1leHBlY3RlZC50eHQ6IEFkZGVk LgorICAgICAgICAqIGh0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3JpcHQtdGFnLWNv bnRyb2wtY2hhci5odG1sOiBBZGRlZC4KKyAgICAgICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L3hz c0F1ZGl0b3Ivc2NyaXB0LXRhZy1udWxsLWNoYXItZXhwZWN0ZWQudHh0OiBBZGRlZC4KKyAgICAg ICAgKiBodHRwL3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy1udWxsLWNoYXIu aHRtbDogQWRkZWQuCisKIDIwMDktMDctMDEgIENocmlzIEZsZWl6YWNoICA8Y2ZsZWl6YWNoQGFw cGxlLmNvbT4KIAogICAgICAgICBSZXZpZXdlZCBieSBPbGl2ZXIgSHVudC4KSW5kZXg6IExheW91 dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3JpcHQtdGFnLWNvbnRyb2wt Y2hhci1leHBlY3RlZC50eHQKPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9z ZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctY29udHJvbC1jaGFyLWV4cGVjdGVkLnR4dAko cmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRv ci9zY3JpcHQtdGFnLWNvbnRyb2wtY2hhci1leHBlY3RlZC50eHQJKHJldmlzaW9uIDApCkBAIC0w LDAgKzEsMyBAQAorQ09OU09MRSBNRVNTQUdFOiBsaW5lIDE6IFJlZnVzZWQgdG8gZXhlY3V0ZSBh IEphdmFTY3JpcHQgc2NyaXB0LiBTb3VyY2UgY29kZSBvZiBzY3JpcHQgZm91bmQgd2l0aGluIHJl cXVlc3QuCisKKwpJbmRleDogTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRp dG9yL3NjcmlwdC10YWctY29udHJvbC1jaGFyLmh0bWwKPT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PQotLS0gTGF5b3V0VGVz dHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctY29udHJvbC1jaGFy Lmh0bWwJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9odHRwL3Rlc3RzL3NlY3VyaXR5L3hz c0F1ZGl0b3Ivc2NyaXB0LXRhZy1jb250cm9sLWNoYXIuaHRtbAkocmV2aXNpb24gMCkKQEAgLTAs MCArMSwxNSBAQAorPCFET0NUWVBFIGh0bWw+Cis8aHRtbD4KKzxoZWFkPgorPHNjcmlwdD4KK2lm ICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpIHsKKyAgbGF5b3V0VGVzdENvbnRyb2xsZXIu ZHVtcEFzVGV4dCgpOworICBsYXlvdXRUZXN0Q29udHJvbGxlci5zZXRYU1NBdWRpdG9yRW5hYmxl ZCh0cnVlKTsKK30KKzwvc2NyaXB0PgorPC9oZWFkPgorPGJvZHk+Cis8aWZyYW1lIHNyYz0iaHR0 cDovL2xvY2FsaG9zdDo4MDAwL3NlY3VyaXR5L3hzc0F1ZGl0b3IvcmVzb3VyY2VzL2VjaG8taW50 ZXJ0YWcucGw/cT08c2NyaXB0PmFsZXJ0KC9YU1MvKS8vaCUwMTwvc2NyaXB0PiI+Cis8L2lmcmFt ZT4KKzwvYm9keT4KKzwvaHRtbD4KSW5kZXg6IExheW91dFRlc3RzL2h0dHAvdGVzdHMvc2VjdXJp dHkveHNzQXVkaXRvci9zY3JpcHQtdGFnLW51bGwtY2hhci1leHBlY3RlZC50eHQKPT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PQotLS0gTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10 YWctbnVsbC1jaGFyLWV4cGVjdGVkLnR4dAkocmV2aXNpb24gMCkKKysrIExheW91dFRlc3RzL2h0 dHAvdGVzdHMvc2VjdXJpdHkveHNzQXVkaXRvci9zY3JpcHQtdGFnLW51bGwtY2hhci1leHBlY3Rl ZC50eHQJKHJldmlzaW9uIDApCkBAIC0wLDAgKzEsMyBAQAorQ09OU09MRSBNRVNTQUdFOiBsaW5l IDE6IFJlZnVzZWQgdG8gZXhlY3V0ZSBhIEphdmFTY3JpcHQgc2NyaXB0LiBTb3VyY2UgY29kZSBv ZiBzY3JpcHQgZm91bmQgd2l0aGluIHJlcXVlc3QuCisKKwpJbmRleDogTGF5b3V0VGVzdHMvaHR0 cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3NjcmlwdC10YWctbnVsbC1jaGFyLmh0bWwKPT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PQotLS0gTGF5b3V0VGVzdHMvaHR0cC90ZXN0cy9zZWN1cml0eS94c3NBdWRpdG9yL3Nj cmlwdC10YWctbnVsbC1jaGFyLmh0bWwJKHJldmlzaW9uIDApCisrKyBMYXlvdXRUZXN0cy9odHRw L3Rlc3RzL3NlY3VyaXR5L3hzc0F1ZGl0b3Ivc2NyaXB0LXRhZy1udWxsLWNoYXIuaHRtbAkocmV2 aXNpb24gMCkKQEAgLTAsMCArMSwxNSBAQAorPCFET0NUWVBFIGh0bWw+Cis8aHRtbD4KKzxoZWFk PgorPHNjcmlwdD4KK2lmICh3aW5kb3cubGF5b3V0VGVzdENvbnRyb2xsZXIpIHsKKyAgbGF5b3V0 VGVzdENvbnRyb2xsZXIuZHVtcEFzVGV4dCgpOworICBsYXlvdXRUZXN0Q29udHJvbGxlci5zZXRY U1NBdWRpdG9yRW5hYmxlZCh0cnVlKTsKK30KKzwvc2NyaXB0PgorPC9oZWFkPgorPGJvZHk+Cis8 aWZyYW1lIHNyYz0iaHR0cDovL2xvY2FsaG9zdDo4MDAwL3NlY3VyaXR5L3hzc0F1ZGl0b3IvcmVz b3VyY2VzL2VjaG8taW50ZXJ0YWcucGw/cT08c2NyaXB0PmFsJTAwZXJ0KC9YU1MvKTwvc2NyaXB0 PiI+Cis8L2lmcmFtZT4KKzwvYm9keT4KKzwvaHRtbD4K