Bug 88002

Summary: XSSAuditor bypass with leading /*///*/ comment
Product: WebKit Reporter: Thomas Sepez <tsepez>
Component: WebCore Misc.Assignee: Thomas Sepez <tsepez>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, dbates, webkit.review.bot
Priority: P2 Keywords: InRadar, XSSAuditor
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
patch/test
none
patch/test/fix indent none

Thomas Sepez
Reported 2012-05-31 12:12:07 PDT
Originally reported by k3170makan at http://code.google.com/p/chromium/issues/detail?id=130594 query string: ?name=%3Cscript%3E/*///*/alert(1);%3C/script%3E reflected vector: <script>/*///*/alert(1);</script>
Attachments
patch/test (3.52 KB, patch)
2012-05-31 13:24 PDT, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
patch/test/fix indent (3.54 KB, patch)
2012-05-31 13:28 PDT, Thomas Sepez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Thomas Sepez
Comment 1 2012-05-31 12:13:42 PDT
Off by two. The block: else if (startsMultiLineCommentAt(string, startPosition)) { if ((foundPosition = string.find("*/", startPosition)) != notFound) startPosition = foundPosition + 2; is matching /*/ as a complete comment, which it's not. Then when we look at the next characters, we see // which we interpret as a single line comment -- but the JS parser doesn't.
Thomas Sepez
Comment 2 2012-05-31 13:24:25 PDT
Created attachment 145144 [details] patch/test
Thomas Sepez
Comment 3 2012-05-31 13:26:08 PDT
Adam, please review.
WebKit Review Bot
Comment 4 2012-05-31 13:28:18 PDT
Attachment 145144 [details] did not pass style-queue: Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/http..." exit_code: 1 LayoutTests/ChangeLog:8: Line contains tab character. [whitespace/tab] [5] LayoutTests/ChangeLog:9: Line contains tab character. [whitespace/tab] [5] Source/WebCore/ChangeLog:8: Line contains tab character. [whitespace/tab] [5] Total errors found: 3 in 5 files If any of these errors are false positives, please file a bug against check-webkit-style.
Thomas Sepez
Comment 5 2012-05-31 13:28:48 PDT
Created attachment 145147 [details] patch/test/fix indent
WebKit Review Bot
Comment 6 2012-05-31 18:31:39 PDT
Comment on attachment 145147 [details] patch/test/fix indent Clearing flags on attachment: 145147 Committed r119184: <http://trac.webkit.org/changeset/119184>
WebKit Review Bot
Comment 7 2012-05-31 18:31:44 PDT
All reviewed patches have been landed. Closing bug.
Andy Estes
Comment 8 2012-06-12 17:07:05 PDT
<rdar://problem/11652371>
Note You need to log in before you can comment on or make changes to this bug.