88002 – XSSAuditor bypass with leading /*///*/ comment

Bug 88002 - XSSAuditor bypass with leading /*///*/ comment

Summary: XSSAuditor bypass with leading /*///*/ comment

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebCore Misc. (show other bugs)
Version:	528+ (Nightly build)
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Thomas Sepez

URL:
Keywords:	InRadar, XSSAuditor

Depends on:
Blocks:

Reported:	2012-05-31 12:12 PDT by Thomas Sepez
Modified:	2012-06-12 17:07 PDT (History)
CC List:	3 users (show)

See Also:

Attachments
patch/test (3.52 KB, patch) 2012-05-31 13:24 PDT, Thomas Sepez	no flags	Details \| Formatted Diff \| Diff
patch/test/fix indent (3.54 KB, patch) 2012-05-31 13:28 PDT, Thomas Sepez	no flags	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Sepez 2012-05-31 12:12:07 PDT

Originally reported by k3170makan at http://code.google.com/p/chromium/issues/detail?id=130594

query string: ?name=%3Cscript%3E/*///*/alert(1);%3C/script%3E
reflected vector: <script>/*///*/alert(1);</script>

Comment 1 Thomas Sepez 2012-05-31 12:13:42 PDT

Off by two.  The block:

else if (startsMultiLineCommentAt(string, startPosition)) {
            if ((foundPosition = string.find("*/", startPosition)) != notFound)
                startPosition = foundPosition + 2;

is matching /*/ as a complete comment, which it's not.  Then when we look at the next characters, we see // which we interpret as a single line comment -- but the JS parser doesn't.

Comment 2 Thomas Sepez 2012-05-31 13:24:25 PDT

Created attachment 145144 [details]
patch/test

Comment 3 Thomas Sepez 2012-05-31 13:26:08 PDT

Adam, please review.

Comment 4 WebKit Review Bot 2012-05-31 13:28:18 PDT

Attachment 145144 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/http..." exit_code: 1
LayoutTests/ChangeLog:8:  Line contains tab character.  [whitespace/tab] [5]
LayoutTests/ChangeLog:9:  Line contains tab character.  [whitespace/tab] [5]
Source/WebCore/ChangeLog:8:  Line contains tab character.  [whitespace/tab] [5]
Total errors found: 3 in 5 files


If any of these errors are false positives, please file a bug against check-webkit-style.

Comment 5 Thomas Sepez 2012-05-31 13:28:48 PDT

Created attachment 145147 [details]
patch/test/fix indent

Comment 6 WebKit Review Bot 2012-05-31 18:31:39 PDT

Comment on attachment 145147 [details]
patch/test/fix indent

Clearing flags on attachment: 145147

Committed r119184: <http://trac.webkit.org/changeset/119184>

Comment 7 WebKit Review Bot 2012-05-31 18:31:44 PDT

All reviewed patches have been landed.  Closing bug.

Comment 8 Andy Estes 2012-06-12 17:07:05 PDT

<rdar://problem/11652371>