Bug 88002 - XSSAuditor bypass with leading /*///*/ comment
Summary: XSSAuditor bypass with leading /*///*/ comment
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Thomas Sepez
Keywords: InRadar, XSSAuditor
Depends on:
Reported: 2012-05-31 12:12 PDT by Thomas Sepez
Modified: 2012-06-12 17:07 PDT (History)
3 users (show)

See Also:

patch/test (3.52 KB, patch)
2012-05-31 13:24 PDT, Thomas Sepez
no flags Details | Formatted Diff | Diff
patch/test/fix indent (3.54 KB, patch)
2012-05-31 13:28 PDT, Thomas Sepez
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Sepez 2012-05-31 12:12:07 PDT
Originally reported by k3170makan at http://code.google.com/p/chromium/issues/detail?id=130594

query string: ?name=%3Cscript%3E/*///*/alert(1);%3C/script%3E
reflected vector: <script>/*///*/alert(1);</script>
Comment 1 Thomas Sepez 2012-05-31 12:13:42 PDT
Off by two.  The block:

else if (startsMultiLineCommentAt(string, startPosition)) {
            if ((foundPosition = string.find("*/", startPosition)) != notFound)
                startPosition = foundPosition + 2;

is matching /*/ as a complete comment, which it's not.  Then when we look at the next characters, we see // which we interpret as a single line comment -- but the JS parser doesn't.
Comment 2 Thomas Sepez 2012-05-31 13:24:25 PDT
Created attachment 145144 [details]
Comment 3 Thomas Sepez 2012-05-31 13:26:08 PDT
Adam, please review.
Comment 4 WebKit Review Bot 2012-05-31 13:28:18 PDT
Attachment 145144 [details] did not pass style-queue:

Failed to run "['Tools/Scripts/check-webkit-style', '--diff-files', u'LayoutTests/ChangeLog', u'LayoutTests/http..." exit_code: 1
LayoutTests/ChangeLog:8:  Line contains tab character.  [whitespace/tab] [5]
LayoutTests/ChangeLog:9:  Line contains tab character.  [whitespace/tab] [5]
Source/WebCore/ChangeLog:8:  Line contains tab character.  [whitespace/tab] [5]
Total errors found: 3 in 5 files

If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 5 Thomas Sepez 2012-05-31 13:28:48 PDT
Created attachment 145147 [details]
patch/test/fix indent
Comment 6 WebKit Review Bot 2012-05-31 18:31:39 PDT
Comment on attachment 145147 [details]
patch/test/fix indent

Clearing flags on attachment: 145147

Committed r119184: <http://trac.webkit.org/changeset/119184>
Comment 7 WebKit Review Bot 2012-05-31 18:31:44 PDT
All reviewed patches have been landed.  Closing bug.
Comment 8 Andy Estes 2012-06-12 17:07:05 PDT