<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN"
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title>[207093] releases/WebKitGTK/webkit-2.14</title>
</head>
<body>
<style type="text/css"><!--
#msg dl.meta { border: 1px #006 solid; background: #369; padding: 6px; color: #fff; }
#msg dl.meta dt { float: left; width: 6em; font-weight: bold; }
#msg dt:after { content:':';}
#msg dl, #msg dt, #msg ul, #msg li, #header, #footer, #logmsg { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; }
#msg dl a { font-weight: bold}
#msg dl a:link { color:#fc3; }
#msg dl a:active { color:#ff0; }
#msg dl a:visited { color:#cc6; }
h3 { font-family: verdana,arial,helvetica,sans-serif; font-size: 10pt; font-weight: bold; }
#msg pre { overflow: auto; background: #ffc; border: 1px #fa0 solid; padding: 6px; }
#logmsg { background: #ffc; border: 1px #fa0 solid; padding: 1em 1em 0 1em; }
#logmsg p, #logmsg pre, #logmsg blockquote { margin: 0 0 1em 0; }
#logmsg p, #logmsg li, #logmsg dt, #logmsg dd { line-height: 14pt; }
#logmsg h1, #logmsg h2, #logmsg h3, #logmsg h4, #logmsg h5, #logmsg h6 { margin: .5em 0; }
#logmsg h1:first-child, #logmsg h2:first-child, #logmsg h3:first-child, #logmsg h4:first-child, #logmsg h5:first-child, #logmsg h6:first-child { margin-top: 0; }
#logmsg ul, #logmsg ol { padding: 0; list-style-position: inside; margin: 0 0 0 1em; }
#logmsg ul { text-indent: -1em; padding-left: 1em; }#logmsg ol { text-indent: -1.5em; padding-left: 1.5em; }
#logmsg > ul, #logmsg > ol { margin: 0 0 1em 0; }
#logmsg pre { background: #eee; padding: 1em; }
#logmsg blockquote { border: 1px solid #fa0; border-left-width: 10px; padding: 1em 1em 0 1em; background: white;}
#logmsg dl { margin: 0; }
#logmsg dt { font-weight: bold; }
#logmsg dd { margin: 0; padding: 0 0 0.5em 0; }
#logmsg dd:before { content:'\00bb';}
#logmsg table { border-spacing: 0px; border-collapse: collapse; border-top: 4px solid #fa0; border-bottom: 1px solid #fa0; background: #fff; }
#logmsg table th { text-align: left; font-weight: normal; padding: 0.2em 0.5em; border-top: 1px dotted #fa0; }
#logmsg table td { text-align: right; border-top: 1px dotted #fa0; padding: 0.2em 0.5em; }
#logmsg table thead th { text-align: center; border-bottom: 1px solid #fa0; }
#logmsg table th.Corner { text-align: left; }
#logmsg hr { border: none 0; border-top: 2px dashed #fa0; height: 1px; }
#header, #footer { color: #fff; background: #636; border: 1px #300 solid; padding: 6px; }
#patch { width: 100%; }
#patch h4 {font-family: verdana,arial,helvetica,sans-serif;font-size:10pt;padding:8px;background:#369;color:#fff;margin:0;}
#patch .propset h4, #patch .binary h4 {margin:0;}
#patch pre {padding:0;line-height:1.2em;margin:0;}
#patch .diff {width:100%;background:#eee;padding: 0 0 10px 0;overflow:auto;}
#patch .propset .diff, #patch .binary .diff {padding:10px 0;}
#patch span {display:block;padding:0 10px;}
#patch .modfile, #patch .addfile, #patch .delfile, #patch .propset, #patch .binary, #patch .copfile {border:1px solid #ccc;margin:10px 0;}
#patch ins {background:#dfd;text-decoration:none;display:block;padding:0 10px;}
#patch del {background:#fdd;text-decoration:none;display:block;padding:0 10px;}
#patch .lines, .info {color:#888;background:#fff;}
--></style>
<div id="msg">
<dl class="meta">
<dt>Revision</dt> <dd><a href="http://trac.webkit.org/projects/webkit/changeset/207093">207093</a></dd>
<dt>Author</dt> <dd>carlosgc@webkit.org</dd>
<dt>Date</dt> <dd>2016-10-11 04:49:56 -0700 (Tue, 11 Oct 2016)</dd>
</dl>
<h3>Log Message</h3>
<pre>Merge <a href="http://trac.webkit.org/projects/webkit/changeset/206277">r206277</a> - [XSS Auditor] HTML5 entities can bypass XSS Auditor
https://bugs.webkit.org/show_bug.cgi?id=161939
<rdar://problem/25819815>
Reviewed by David Kilzer.
Source/WebCore:
Merged from Blink:
<https://chromium.googlesource.com/chromium/src/+/04e44060dccee711842d08652bf1c622a0f43179>
Truncate a src-like URL at the first & character as it may mark the start of an HTML entity.
We will evaluate the effectiveness of this approach and adjust it if necessary if we see an
increase in false positives.
HTML5 defines more named character references, including named character references for common
punctuation characters. Characters following some punctuation characters may come from the page
itself. We truncate src-like strings at punctuation characters to avoid considering such page
content when performing a match.
Test: http/tests/security/xssAuditor/script-tag-with-source-data-url5.html
* html/parser/XSSAuditor.cpp:
(WebCore::truncateForSrcLikeAttribute):
LayoutTests:
* http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-source-data-url5.html: Added.</pre>
<h3>Modified Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestsChangeLog">releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCoreChangeLog">releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog</a></li>
<li><a href="#releasesWebKitGTKwebkit214SourceWebCorehtmlparserXSSAuditorcpp">releases/WebKitGTK/webkit-2.14/Source/WebCore/html/parser/XSSAuditor.cpp</a></li>
</ul>
<h3>Added Paths</h3>
<ul>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorscripttagwithsourcedataurl5expectedtxt">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt</a></li>
<li><a href="#releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorscripttagwithsourcedataurl5html">releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5.html</a></li>
</ul>
</div>
<div id="patch">
<h3>Diff</h3>
<a id="releasesWebKitGTKwebkit214LayoutTestsChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog (207092 => 207093)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2016-10-11 11:49:00 UTC (rev 207092)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/ChangeLog 2016-10-11 11:49:56 UTC (rev 207093)
</span><span class="lines">@@ -1,5 +1,16 @@
</span><span class="cx"> 2016-09-22 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ [XSS Auditor] HTML5 entities can bypass XSS Auditor
+ https://bugs.webkit.org/show_bug.cgi?id=161939
+ <rdar://problem/25819815>
+
+ Reviewed by David Kilzer.
+
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt: Added.
+ * http/tests/security/xssAuditor/script-tag-with-source-data-url5.html: Added.
+
+2016-09-22 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> [XSS Auditor] Truncate data URLs at quotes
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=161937
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorscripttagwithsourcedataurl5expectedtxt"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt (0 => 207093)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5-expected.txt 2016-10-11 11:49:56 UTC (rev 207093)
</span><span class="lines">@@ -0,0 +1,2 @@
</span><ins>+CONSOLE MESSAGE: line 3: The XSS Auditor refused to execute a script in 'http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22%3E%3Cscript%20src%3ddata:%26comma%3balert(1)%3b%22' because its source code was found within the request. The auditor was enabled because the server did not send an 'X-XSS-Protection' header.
+
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214LayoutTestshttptestssecurityxssAuditorscripttagwithsourcedataurl5html"></a>
<div class="addfile"><h4>Added: releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5.html (0 => 207093)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5.html (rev 0)
+++ releases/WebKitGTK/webkit-2.14/LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-data-url5.html 2016-10-11 11:49:56 UTC (rev 207093)
</span><span class="lines">@@ -0,0 +1,15 @@
</span><ins>+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.testRunner) {
+ testRunner.dumpAsText();
+ testRunner.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property.pl?q=%22><script src%3ddata:%26comma%3balert(1)%3b%22">
+</iframe>
+</body>
+</html>
</ins></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCoreChangeLog"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog (207092 => 207093)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2016-10-11 11:49:00 UTC (rev 207092)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/ChangeLog 2016-10-11 11:49:56 UTC (rev 207093)
</span><span class="lines">@@ -1,5 +1,30 @@
</span><span class="cx"> 2016-09-22 Daniel Bates <dabates@apple.com>
</span><span class="cx">
</span><ins>+ [XSS Auditor] HTML5 entities can bypass XSS Auditor
+ https://bugs.webkit.org/show_bug.cgi?id=161939
+ <rdar://problem/25819815>
+
+ Reviewed by David Kilzer.
+
+ Merged from Blink:
+ <https://chromium.googlesource.com/chromium/src/+/04e44060dccee711842d08652bf1c622a0f43179>
+
+ Truncate a src-like URL at the first & character as it may mark the start of an HTML entity.
+ We will evaluate the effectiveness of this approach and adjust it if necessary if we see an
+ increase in false positives.
+
+ HTML5 defines more named character references, including named character references for common
+ punctuation characters. Characters following some punctuation characters may come from the page
+ itself. We truncate src-like strings at punctuation characters to avoid considering such page
+ content when performing a match.
+
+ Test: http/tests/security/xssAuditor/script-tag-with-source-data-url5.html
+
+ * html/parser/XSSAuditor.cpp:
+ (WebCore::truncateForSrcLikeAttribute):
+
+2016-09-22 Daniel Bates <dabates@apple.com>
+
</ins><span class="cx"> [XSS Auditor] Truncate data URLs at quotes
</span><span class="cx"> https://bugs.webkit.org/show_bug.cgi?id=161937
</span><span class="cx">
</span></span></pre></div>
<a id="releasesWebKitGTKwebkit214SourceWebCorehtmlparserXSSAuditorcpp"></a>
<div class="modfile"><h4>Modified: releases/WebKitGTK/webkit-2.14/Source/WebCore/html/parser/XSSAuditor.cpp (207092 => 207093)</h4>
<pre class="diff"><span>
<span class="info">--- releases/WebKitGTK/webkit-2.14/Source/WebCore/html/parser/XSSAuditor.cpp 2016-10-11 11:49:00 UTC (rev 207092)
+++ releases/WebKitGTK/webkit-2.14/Source/WebCore/html/parser/XSSAuditor.cpp 2016-10-11 11:49:56 UTC (rev 207093)
</span><span class="lines">@@ -182,8 +182,10 @@
</span><span class="cx"> // the first comma, and the first /*, //, or <!-- may introduce a comment. Also
</span><span class="cx"> // data URLs may use the same string literal tricks as with script content itself.
</span><span class="cx"> // In either case, content following this may come from the page and may be ignored
</span><del>- // when the script is executed.
- // For simplicity, we don't differentiate based on URL scheme, and stop at
</del><ins>+ // when the script is executed. Also, any of these characters may now be represented
+ // by the (enlarged) set of HTML5 entities.
+ // For simplicity, we don't differentiate based on URL scheme, and stop at the first
+ // & (since it might be part of an entity for any of the subsequent punctuation)
</ins><span class="cx"> // the first # or ?, the third slash, or the first slash, <, ', or " once a comma
</span><span class="cx"> // is seen.
</span><span class="cx"> int slashCount = 0;
</span><span class="lines">@@ -190,7 +192,8 @@
</span><span class="cx"> bool commaSeen = false;
</span><span class="cx"> for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++currentLength) {
</span><span class="cx"> UChar currentChar = decodedSnippet[currentLength];
</span><del>- if (currentChar == '?'
</del><ins>+ if (currentChar == '&'
+ || currentChar == '?'
</ins><span class="cx"> || currentChar == '#'
</span><span class="cx"> || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++slashCount > 2))
</span><span class="cx"> || (currentChar == '<' && commaSeen)
</span></span></pre>
</div>
</div>
</body>
</html>