RESOLVED FIXED 26807
Crashes on 3 layout tests when XSS auditor is enabled 
https://bugs.webkit.org/show_bug.cgi?id=26807
Summary Crashes on 3 layout tests when XSS auditor is enabled
Gustavo Noronha (kov)
Reported 2009-06-29 10:37:08 PDT
The following tests crash when the XSS auditor is enabled: fast/loader/javascript-url-encoding-2.html fast/loader/opaque-base-url.html http/tests/security/postMessage/javascript-page-still-sends-origin.html I'll attach the full backtrace.
Attachments
back trace (18.58 KB, text/plain)
2009-06-29 10:37 PDT, Gustavo Noronha (kov) 		no flags
Details
temporary workaround (1.30 KB, patch)
2009-06-29 15:43 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch (1.14 KB, patch)
2009-07-01 13:33 PDT, Daniel Bates 		abarth: review+
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Gustavo Noronha (kov)
Comment 1 2009-06-29 10:37:48 PDT
Created attachment 32014 [details] back trace
Adam Barth
Comment 2 2009-06-29 11:25:39 PDT
From the test names, it looks like we might be handling the encoding of documents created by JavaScript URLs correctly. Dan would you like to look into this, or would you like me to?
Daniel Bates
Comment 3 2009-06-29 11:39:37 PDT
I'll take a look. (In reply to comment #2) > From the test names, it looks like we might be handling the encoding of > documents created by JavaScript URLs correctly. Dan would you like to look > into this, or would you like me to? >
Daniel Bates
Comment 4 2009-06-29 15:43:58 PDT
Created attachment 32023 [details] temporary workaround Temporary workaround. I have not been able to reproduce the crash for the test: http/tests/security/postMessage/javascript-page-still-sends-origin.html With respect to the other cases: fast/loader/javascript-url-encoding-2.html and fast/loader/opaque-base-url.html, these eventually cause the FrameLoader::m_decoder to be nullified and never set again before the XSSAuditor is called. So, frame->document()->decoder() is a null pointer and we were dereferencing it; hence the crashes. Both of these tests call FrameLoader::executeIfJavaScriptURL, which calls FrameLoader::write(const String& str). Unlike in FrameLoader::write(const char* str, int len, bool flush), the field FrameLoader::m_decoder is never set in FrameLoader::write(const String& str). Moreover, it looks like FrameLoader::executeIfJavaScriptURL is only method that calls FrameLoader::write(const String& str). I am unclear of the purpose of FrameLoader::write(const String& str). Why doesn't it just call FrameLoader::write(const char* str, int len, bool flush) with the appropriate arguments? I take it that it has something to do with parsing a strict document? I was not sure if I should set m_decoder (in a similar fashion) as in FrameLoader::write(const char* str, int len, bool flush), it seems kinda weird that someone left this out. Any suggestions?
Adam Barth
Comment 5 2009-06-30 11:24:04 PDT
Comment on attachment 32023 [details] temporary workaround > + if (!resultDecoded.isEmpty()) { > + if (!allowControlCharacters) > + resultDecoded.removeCharacters(&isControlCharacter); > + result = resultDecoded; > + } This should just be an && instead of a nested if. I think the patch is probably the right approach for the moment. I'm surprised that JavaScript URLs don't inherit the charset of their creator. We should file another bug to investigate this. The easiest test is probably to have a UTF-7 encoded parent create an <iframe> with a javascript URL an some UTF-7 encoded tags and see what happens.
Daniel Bates
Comment 6 2009-07-01 13:33:55 PDT
Created attachment 32138 [details] Patch Fixes the issue by checking whether frame->document()->decoder() is null.
Adam Barth
Comment 7 2009-07-01 13:35:41 PDT
Comment on attachment 32138 [details] Patch Thanks!
Adam Barth
Comment 8 2009-07-01 13:40:26 PDT
Sending WebCore/ChangeLog Sending WebCore/page/XSSAuditor.cpp Transmitting file data .. Committed revision 45445.
Note You need to log in before you can comment on or make changes to this bug.