WebKit Bugzilla
New
Browse
Log In
×
Sign in with GitHub
or
Remember my login
Create Account
·
Forgot Password
Forgotten password account recovery
RESOLVED FIXED
Bug 29523
[XSSAuditor] JavaScript URLs that are URL-encoded twice can by bypass the XSSAuditor
https://bugs.webkit.org/show_bug.cgi?id=29523
Summary
[XSSAuditor] JavaScript URLs that are URL-encoded twice can by bypass the XSS...
Daniel Bates
Reported
2009-09-19 14:50:47 PDT
The method FrameLoader::executeIfJavaScriptURL decodes the URL escape sequences in a JavaScript URL before it is eventually passed to the XSSAuditor. Because the XSSAuditor also decodes the URL escape sequences as part of its canonicalization, the double decoding of a JavaScript URL would not match the canonicalization of the input parameters.
Attachments
Patch with test cases
(5.57 KB, patch)
2009-09-19 14:52 PDT
,
Daniel Bates
abarth
: review-
Details
Formatted Diff
Diff
Patch with test cases
(7.45 KB, patch)
2009-09-19 16:17 PDT
,
Daniel Bates
no flags
Details
Formatted Diff
Diff
Patch with test cases
(7.39 KB, patch)
2009-09-19 17:55 PDT
,
Daniel Bates
no flags
Details
Formatted Diff
Diff
Show Obsolete
(2)
View All
Add attachment
proposed patch, testcase, etc.
Daniel Bates
Comment 1
2009-09-19 14:52:53 PDT
Created
attachment 39824
[details]
Patch with test cases
Adam Barth
Comment 2
2009-09-19 15:41:45 PDT
Comment on
attachment 39824
[details]
Patch with test cases + m_frame->script()->isEnabled() && !m_frame->script()->isPaused() Why did we add these conditions that weren't there before? Can we remove any of the other instances of canEvaluateJavaScriptURL?
Daniel Bates
Comment 3
2009-09-19 16:15:07 PDT
(In reply to
comment #2
)
> (From update of
attachment 39824
[details]
) > + m_frame->script()->isEnabled() && !m_frame->script()->isPaused() > > Why did we add these conditions that weren't there before?
This is an optimization. I added these so that we can avoid calling the XSSAuditor when scripts aren't enabled or paused. Notice, these cases are checked in FrameLoader::executeScript and at present (i.e. without this patch) the XSSAuditor is only called after these cases are checked. Because we now call the XSSAuditor in FrameLoader::executeIfJavaScriptURL, in particular before calling executeScript, we can save some processing time/function call, by only calling the XSSAuditor when scripts are enabled and not paused.
> Can we remove any of the other instances of canEvaluateJavaScriptURL?
Yes, I can clean up ScriptSourceController
Daniel Bates
Comment 4
2009-09-19 16:15:50 PDT
I meant, cleanup ScriptController. (In reply to
comment #3
)
> (In reply to
comment #2
) > > (From update of
attachment 39824
[details]
[details]) > > + m_frame->script()->isEnabled() && !m_frame->script()->isPaused() > > > > Why did we add these conditions that weren't there before? > > This is an optimization. > > I added these so that we can avoid calling the XSSAuditor when scripts aren't > enabled or paused. Notice, these cases are checked in > FrameLoader::executeScript and at present (i.e. without this patch) the > XSSAuditor is only called after these cases are checked. > > Because we now call the XSSAuditor in FrameLoader::executeIfJavaScriptURL, in > particular before calling executeScript, we can save some processing > time/function call, by only calling the XSSAuditor when scripts are enabled and > not paused. > > > Can we remove any of the other instances of canEvaluateJavaScriptURL? > > Yes, I can clean up ScriptSourceController
Daniel Bates
Comment 5
2009-09-19 16:17:22 PDT
Created
attachment 39826
[details]
Patch with test cases Cleaned up ScriptController.
Adam Barth
Comment 6
2009-09-19 17:46:17 PDT
> This is an optimization.
I think this optimization might be slightly premature. Those cases aren't very common, and the added complexity probably isn't worth it. Other than that, the patch looks good. Can you post a version without these checks?
Daniel Bates
Comment 7
2009-09-19 17:55:38 PDT
Created
attachment 39828
[details]
Patch with test cases On Adam's remarks, removed checks m_frame->script()->isEnabled(), m_frame->script()->isPaused() from patch
Adam Barth
Comment 8
2009-09-19 17:57:40 PDT
Comment on
attachment 39828
[details]
Patch with test cases Awesome. Thanks Dan.
Daniel Bates
Comment 9
2009-09-22 20:14:30 PDT
Comment on
attachment 39828
[details]
Patch with test cases Rejecting patch 39828 from commit-queue. This patch will require manual commit. Failed to run "['svn', 'commit', '-m', '2009-09-22 Daniel Bates <
dbates@webkit.org
>\n\n Reviewed by Adam Barth.\n\n
https://bugs.webkit.org/show_bug.cgi?id=29523
\n \n Fixes an issue where a JavaScript URL that was URL-encoded twice can bypass the\n XSSAuditor.\n \n The method FrameLoader::executeIfJavaScriptURL decodes the URL escape \n sequences in a JavaScript URL before it is eventually passed to the XSSAuditor.\n Because the XSSAuditor also decodes the URL escape sequences as part of its\n canonicalization, the double decoding of a JavaScript URL would\n not match the canonicalization of the input parameters.\n\n Tests: http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html\n http/tests/security/xssAuditor/javascript-link-url-encoded.html\n\n * bindings/js/ScriptController.cpp:\n (WebCore::ScriptController::evaluate): Moved call to \n XSSAuditor::canEvaluateJavaScriptURL into FrameLoader::executeIfJavaScriptURL.\n * bindings/v8/ScriptController.cpp:\n (WebCore::ScriptController::evaluate): Ditto.\n * loader/FrameLoader.cpp:\n (WebCore::FrameLoader::executeIfJavaScriptURL): Modified to call \n XSSAuditor::canEvaluateJavaScriptURL on the JavaScript URL before it is\n decoded.\n2009-09-22 Daniel Bates <
dbates@webkit.org
>\n\n Reviewed by Adam Barth.\n\n
https://bugs.webkit.org/show_bug.cgi?id=29523
\n \n Tests that JavaScript URLs that were URL-encoded twice do not bypass the XSSAuditor.\n\n * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt: Added.\n * http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html: Added.\n * http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt: Added.\n * http/tests/security/xssAuditor/javascript-link-url-encoded.html: Added.\n']" exit_code: 1 cwd: None
Daniel Bates
Comment 10
2009-09-23 11:21:17 PDT
Sending LayoutTests/ChangeLog Adding LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt Adding LayoutTests/http/tests/security/xssAuditor/javascript-link-url-encoded.html Sending WebCore/ChangeLog Sending WebCore/bindings/js/ScriptController.cpp Sending WebCore/bindings/v8/ScriptController.cpp Sending WebCore/loader/FrameLoader.cpp Transmitting file data ......... Committed revision 48680.
Daniel Bates
Comment 11
2009-09-23 11:22:07 PDT
Comment on
attachment 39828
[details]
Patch with test cases Clearing review and commit flags
Note
You need to
log in
before you can comment on or make changes to this bug.
Top of Page
Format For Printing
XML
Clone This Bug