[Webkit-unassigned] [Bug 27071] [XSSAuditor] HTTP parameters with null/control characters bypass XSSAuditor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Jul 8 00:08:23 PDT 2009


https://bugs.webkit.org/show_bug.cgi?id=27071





--- Comment #2 from Daniel Bates <dbates at berkeley.edu>  2009-07-08 00:08:22 PDT ---
I patched this by telling XSSAuditor::findInRequest when to allow/disallow null
and non-null control characters.

I also changed the console message type in method XSSAuditor::canLoadObject
from OtherMessageSource to JSMessageSource, since DumpRenderTree doesn't seem
to dump n OtherMessageSource errors as needed by various plugin-based test
cases.

(In reply to comment #1)
> Created an attachment (id=32431)
 --> (https://bugs.webkit.org/attachment.cgi?id=32431) [details]
> Patch with tests

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.



More information about the webkit-unassigned mailing list