Bug 66580 - XSS Filter Bypass with long strings
: XSS Filter Bypass with long strings
Status: RESOLVED FIXED
: WebKit
WebKit Misc.
: 528+ (Nightly build)
: All All
: P2 Normal
Assigned To:
:
: XSSAuditor
:
: 66579
  Show dependency treegraph
 
Reported: 2011-08-19 13:50 PST by
Modified: 2011-09-02 14:57 PST (History)


Attachments
test case (890 bytes, application/zip)
2011-08-19 13:50 PST, Adam Barth
no flags Details
Static version of post response (20.15 KB, text/plain)
2011-09-02 12:36 PST, Thomas Sepez
no flags Details
Proposed TestCase (47.95 KB, patch)
2011-09-02 14:08 PST, Thomas Sepez
no flags Review Patch | Details | Formatted Diff | Diff
Proposed test case with "" typo removed. (47.95 KB, patch)
2011-09-02 14:13 PST, Thomas Sepez
no flags Review Patch | Details | Formatted Diff | Diff


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2011-08-19 13:50:24 PST
Created an attachment (id=104557) [details]
test case

http://code.google.com/p/chromium/issues/detail?id=77731

VULNERABILITY DETAILS
On pages that render a large amount of user input it is possible to bypass the XSS filter.

VERSION
Chrome Version: 11.0.696.25 beta
Operating System: Windows Vista SP2

REPRODUCTION CASE

The attachment contains two files: a PHP file and an HTML file. Host the PHP file and update the form action in the HTML file to point to it. Open a new chrome tab and navigate to the HTML file.
     xss-filter-bypass.zip 
890 bytes   Download
------- Comment #1 From 2011-09-02 12:35:11 PST -------
Adam, DNR using chrome 14 on linux.  Didn't have php, but using a static file who's output matches what we'd expect from your static input file.  Console reports the xss filter caught it.  I'll add my static output as an attachment.
------- Comment #2 From 2011-09-02 12:36:29 PST -------
Created an attachment (id=106176) [details]
Static version of post response
------- Comment #3 From 2011-09-02 12:38:38 PST -------
Yeah, I think I fixed in an earlier patch.  We probably should convert your static test to a LayoutTest and close this bug.
------- Comment #4 From 2011-09-02 14:08:08 PST -------
Created an attachment (id=106195) [details]
Proposed TestCase
------- Comment #5 From 2011-09-02 14:13:29 PST -------
Created an attachment (id=106196) [details]
Proposed test case with "" typo removed.
------- Comment #6 From 2011-09-02 14:57:03 PST -------
(From update of attachment 106196 [details])
Clearing flags on attachment: 106196

Committed r94451: <http://trac.webkit.org/changeset/94451>
------- Comment #7 From 2011-09-02 14:57:09 PST -------
All reviewed patches have been landed.  Closing bug.