RESOLVED FIXED Bug 27071
[XSSAuditor] HTTP parameters with null/control characters bypass XSSAuditor 
https://bugs.webkit.org/show_bug.cgi?id=27071
Summary [XSSAuditor] HTTP parameters with null/control characters bypass XSSAuditor
Attachments
Patch with tests (29.70 KB, patch)
2009-07-08 00:02 PDT, Daniel Bates 		no flags
DetailsFormatted DiffDiff
Patch with tests (29.68 KB, patch)
2009-07-08 00:12 PDT, Daniel Bates 		abarth: review-
DetailsFormatted DiffDiff
Patch with tests (29.26 KB, patch)
2009-07-08 11:18 PDT, Daniel Bates 		abarth: review+
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2009-07-08 00:02:08 PDT
Created attachment 32431 [details] Patch with tests
Daniel Bates
Comment 2 2009-07-08 00:08:22 PDT
I patched this by telling XSSAuditor::findInRequest when to allow/disallow null and non-null control characters. I also changed the console message type in method XSSAuditor::canLoadObject from OtherMessageSource to JSMessageSource, since DumpRenderTree doesn't seem to dump n OtherMessageSource errors as needed by various plugin-based test cases. (In reply to comment #1) > Created an attachment (id=32431) [details] > Patch with tests
Daniel Bates
Comment 3 2009-07-08 00:12:22 PDT
Created attachment 32433 [details] Patch with tests Forgot to put email address in change log for LayoutTests.
Adam Barth
Comment 4 2009-07-08 10:39:52 PDT
Comment on attachment 32433 [details] Patch with tests What is execGetURL.swf ? I don't think we can put flash movies in layout tests. This probably isn't needed because the auditor blocks the load anyway. Also, where is script-tag-post-control-char.html ?
Daniel Bates
Comment 5 2009-07-08 11:02:18 PDT
Right. I just used it as a place holder for the plugin-based tests, but it isn't needed as you pointed out. I'll add such a test and post the patch again. (In reply to comment #4) > (From update of attachment 32433 [details]) > What is execGetURL.swf ? I don't think we can put flash movies in layout > tests. This probably isn't needed because the auditor blocks the load anyway. > Also, where is script-tag-post-control-char.html ?
Adam Barth
Comment 6 2009-07-08 11:06:46 PDT
Awesome. Thanks Dan.
Daniel Bates
Comment 7 2009-07-08 11:18:27 PDT
Created attachment 32462 [details] Patch with tests Removed file execGetURL.swf. Added test case script-tag-post-control-char.html
Adam Barth
Comment 8 2009-07-08 12:02:30 PDT
Comment on attachment 32462 [details] Patch with tests This looks great. Thanks Dan. The ChangeLog still lists the SWF, but that's not a big deal. I'll try to remember to remove it when I land the patch.
Adam Barth
Comment 9 2009-07-08 14:27:24 PDT
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/embed-tag.html Adding LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag.html Adding LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/object-tag.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char.html Sending WebCore/ChangeLog Sending WebCore/page/XSSAuditor.cpp Sending WebCore/page/XSSAuditor.h Transmitting file data ................................ Committed revision 45639. http://trac.webkit.org/changeset/45639
Note You need to log in before you can comment on or make changes to this bug.