28767 2009-08-27 00:34:13 -0700 KURLGoogle's decodeURLEscapeSequences should unescape %00 for compat with KURL.cpp 2009-08-27 07:54:21 -0700 1 1 1 Unclassified WebKit Platform 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 1 fishd fishd abarth brettw eric oldest_to_newest 143078 0 fishd 2009-08-27 00:34:13 -0700 KURLGoogle's decodeURLEscapeSequences should unescape %00 for compat with KURL.cpp WebCore--the XSSAuditor in particular--expects that decodeURLEscapeSequences will unescape all escape sequences. Note: https://bugs.webkit.org/show_bug.cgi?id=20559 highlights the risk involved with decoded %00, and those concerns are definitely valid. I took a look at all of the callsites, and I believe we should be OK. (Famous last words...) 143080 1 38660 fishd 2009-08-27 00:41:50 -0700 Created attachment 38660 v1 patch - allow %00 unescaping 143109 2 38660 dglazkov 2009-08-27 07:43:44 -0700 Comment on attachment 38660 v1 patch - allow %00 unescaping r=me. 143111 3 38660 eric 2009-08-27 07:54:13 -0700 Comment on attachment 38660 v1 patch - allow %00 unescaping Clearing flags on attachment: 38660 Committed r47819: <http://trac.webkit.org/changeset/47819> 143112 4 eric 2009-08-27 07:54:21 -0700 All reviewed patches have been landed. Closing bug. 38660 2009-08-27 00:41:50 -0700 2009-08-27 07:54:12 -0700 v1 patch - allow %00 unescaping kurl_1.txt text/plain 2553 fishd SW5kZXg6IFdlYkNvcmUvQ2hhbmdlTG9nDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09DQotLS0gV2ViQ29yZS9DaGFuZ2VM b2cJKHJldmlzaW9uIDQ3ODExKQorKysgV2ViQ29yZS9DaGFuZ2VMb2cJKHdvcmtpbmcgY29weSkK QEAgLTEsMyArMSwxNSBAQAorMjAwOS0wOC0yNyAgRGFyaW4gRmlzaGVyICA8ZGFyaW5AY2hyb21p dW0ub3JnPgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgorCisgICAgICAg IGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3dfYnVnLmNnaT9pZD0yODc2NworCisgICAgICAg IE1ha2UgS1VSTEdvb2dsZS5jcHAncyBkZWNvZGVVUkxFc2NhcGVTZXF1ZW5jZXMgZGVjb2RlICUw MCB0byBtYXRjaAorICAgICAgICBLVVJMLmNwcC4gIFRoaXMgbWFrZXMgdGhlIFhTU0F1ZGl0b3Ig dGVzdHMgcGFzcyB3aGVuIHVzaW5nIEtVUkxHb29nbGUuCisKKyAgICAgICAgKiBwbGF0Zm9ybS9L VVJMR29vZ2xlLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OmRlY29kZVVSTEVzY2FwZVNlcXVlbmNl cyk6CisKIDIwMDktMDgtMjYgIER1bWl0cnUgRGFuaWxpdWMgIDxkdW1pQGNocm9taXVtLm9yZz4K IAogICAgICAgICBSZXZpZXdlZCBieSBBZGFtIEJhcnRoLgpJbmRleDogV2ViQ29yZS9wbGF0Zm9y bS9LVVJMR29vZ2xlLmNwcA0KPT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PQ0KLS0tIFdlYkNvcmUvcGxhdGZvcm0vS1VSTEdv b2dsZS5jcHAJKHJldmlzaW9uIDQ3ODEwKQorKysgV2ViQ29yZS9wbGF0Zm9ybS9LVVJMR29vZ2xl LmNwcAkod29ya2luZyBjb3B5KQpAQCAtNzI4LDEzICs3MjgsOCBAQCBTdHJpbmcgZGVjb2RlVVJM RXNjYXBlU2VxdWVuY2VzKGNvbnN0IFN0CiAvLyBjYXVzZSBzZWN1cml0eSBob2xlcy4gV2UgbmV2 ZXIgY2FsbCB0aGlzIGZ1bmN0aW9uIGZvciBjb21wb25lbnRzLCBhbmQKIC8vIGp1c3QgcmV0dXJu IHRoZSBBU0NJSSB2ZXJzaW9ucyBpbnN0ZWFkLgogLy8KLS8vIEhvd2V2ZXIsIHRoaXMgc3RhdGlj IGZ1bmN0aW9uIGlzIGNhbGxlZCBkaXJlY3RseSBpbiBzb21lIGNhc2VzLiBJdCBhcHBlYXJzCi0v LyB0aGF0IHRoaXMgb25seSBoYXBwZW5zIGZvciBqYXZhc2NyaXB0OiBVUkxzLCBzbyB0aGlzIGlz IGVzc2VudGlhbGx5IHRoZQotLy8gSmF2YVNjcmlwdCBVUkwgZGVjb2Rlci4gSXQgYXNzdW1lcyBV VEYtOCBlbmNvZGluZy4KLS8vCi0vLyBJRSBkb2Vzbid0IHVuZXNjYXBlICUwMCwgZm9yY2luZyB5 b3UgdG8gdXNlIFx4MDAgaW4gSlMgc3RyaW5ncywgc28gd2UgZG8KLS8vIHRoZSBzYW1lLiBUaGlz IGFsc28gZWxpbWluYXRlcyBOVUxMLXJlbGF0ZWQgcHJvYmxlbXMgc2hvdWxkIGEgY29uc3VtZXIK LS8vIGluY29ycmVjdGx5IGNhbGwgdGhpcyBmdW5jdGlvbiBmb3Igbm9uLUphdmFTY3JpcHQuCisv LyBUaGlzIGZ1bmN0aW9uIGlzIGFsc28gdXNlZCB0byBkZWNvZGUgamF2YXNjcmlwdDogVVJMcyBh bmQgYXMgYSBnZW5lcmFsCisvLyBwdXJwb3NlIHVuZXNjYXBpbmcgZnVuY3Rpb24uCiAvLwogLy8g RklYTUUgVGhlc2Ugc2hvdWxkIGJlIG1lcmdlZCB0byB0aGUgS1VSTC5jcHAgaW1wbGVtZW50YXRp b24uCiBTdHJpbmcgZGVjb2RlVVJMRXNjYXBlU2VxdWVuY2VzKGNvbnN0IFN0cmluZyYgc3RyLCBj b25zdCBUZXh0RW5jb2RpbmcmIGVuY29kaW5nKQpAQCAtNzU3LDE1ICs3NTIsOSBAQCBTdHJpbmcg ZGVjb2RlVVJMRXNjYXBlU2VxdWVuY2VzKGNvbnN0IFN0CiAgICAgZm9yIChpbnQgaSA9IDA7IGkg PCBpbnB1dExlbmd0aDsgaSsrKSB7CiAgICAgICAgIGlmIChpbnB1dFtpXSA9PSAnJScpIHsKICAg ICAgICAgICAgIHVuc2lnbmVkIGNoYXIgY2g7Ci0gICAgICAgICAgICBpZiAodXJsX2Nhbm9uOjpE ZWNvZGVFc2NhcGVkKGlucHV0LCAmaSwgaW5wdXRMZW5ndGgsICZjaCkpIHsKLSAgICAgICAgICAg ICAgICBpZiAoIWNoKSB7Ci0gICAgICAgICAgICAgICAgICAgIC8vIE5ldmVyIHVuZXNjYXBlIE5V TExzLgotICAgICAgICAgICAgICAgICAgICB1bmVzY2FwZWQucHVzaF9iYWNrKCclJyk7Ci0gICAg ICAgICAgICAgICAgICAgIHVuZXNjYXBlZC5wdXNoX2JhY2soJzAnKTsKLSAgICAgICAgICAgICAg ICAgICAgdW5lc2NhcGVkLnB1c2hfYmFjaygnMCcpOwotICAgICAgICAgICAgICAgIH0gZWxzZQot ICAgICAgICAgICAgICAgICAgICB1bmVzY2FwZWQucHVzaF9iYWNrKGNoKTsKLSAgICAgICAgICAg IH0gZWxzZSB7CisgICAgICAgICAgICBpZiAodXJsX2Nhbm9uOjpEZWNvZGVFc2NhcGVkKGlucHV0 LCAmaSwgaW5wdXRMZW5ndGgsICZjaCkpCisgICAgICAgICAgICAgICAgdW5lc2NhcGVkLnB1c2hf YmFjayhjaCk7CisgICAgICAgICAgICBlbHNlIHsKICAgICAgICAgICAgICAgICAvLyBJbnZhbGlk IGVzY2FwZSBzZXF1ZW5jZSwgY29weSB0aGUgcGVyY2VudCBsaXRlcmFsLgogICAgICAgICAgICAg ICAgIHVuZXNjYXBlZC5wdXNoX2JhY2soJyUnKTsKICAgICAgICAgICAgIH0K