Bug 29306

Summary: [XSSAuditor] Scripts with accented characters can bypass the XSSAuditor
Product: WebKit Reporter: Daniel Bates <dbates>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, mario.heiderich, sam
Priority: P2 Keywords: XSSAuditor
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   
URL: http://eaea.sirdarckcat.net/xss.php?html_xss=<img%20src=ä%20onerror=alert('ä')>
Bug Depends on:    
Bug Blocks: 29278    
Attachments:
Description Flags
Patch with test case none

Daniel Bates
Reported 2009-09-16 12:27:17 PDT
XSSAuditor::decodeURL used the wrong length for the input string. When the input string was decoded, the decoded result was truncated. Hence, XSSAuditor was comparing the source code of the script to the truncated input parameters.
Attachments
Patch with test case (3.51 KB, patch)
2009-09-16 12:29 PDT, Daniel Bates
no flags
Daniel Bates
Comment 1 2009-09-16 12:29:23 PDT
Created attachment 39656 [details] Patch with test case
Adam Barth
Comment 2 2009-09-16 22:44:04 PDT
Comment on attachment 39656 [details] Patch with test case I know Dan would want to land this himself, but I'ld like this to get into the nightly build we so can close the loop with the sla.ckers.org folks.
Adam Barth
Comment 3 2009-09-16 23:42:43 PDT
Comment on attachment 39656 [details] Patch with test case Rejecting patch 39656 from commit-queue. This patch will require manual commit. ['WebKitTools/Scripts/run-webkit-tests'] failed with exit code 1
Adam Barth
Comment 4 2009-09-16 23:45:30 PDT
Comment on attachment 39656 [details] Patch with test case Clearing flags on attachment: 39656 Committed r48458: <http://trac.webkit.org/changeset/48458>
Adam Barth
Comment 5 2009-09-16 23:45:38 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.