[Webkit-unassigned] [Bug 29523] [XSSAuditor] JavaScript URLs that are URL-encoded twice can by bypass the XSSAuditor
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Sep 22 20:14:30 PDT 2009
https://bugs.webkit.org/show_bug.cgi?id=29523
Daniel Bates <dbates at webkit.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #39828| |commit-queue-
Flag| |
--- Comment #9 from Daniel Bates <dbates at webkit.org> 2009-09-22 20:14:30 PDT ---
(From update of attachment 39828)
Rejecting patch 39828 from commit-queue.
This patch will require manual commit. Failed to run "['svn', 'commit', '-m',
'2009-09-22 Daniel Bates <dbates at webkit.org>\n\n Reviewed by Adam
Barth.\n\n https://bugs.webkit.org/show_bug.cgi?id=29523\n \n
Fixes an issue where a JavaScript URL that was URL-encoded twice can bypass
the\n XSSAuditor.\n \n The method
FrameLoader::executeIfJavaScriptURL decodes the URL escape \n sequences
in a JavaScript URL before it is eventually passed to the XSSAuditor.\n
Because the XSSAuditor also decodes the URL escape sequences as part of its\n
canonicalization, the double decoding of a JavaScript URL would\n
not match the canonicalization of the input parameters.\n\n Tests:
http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html\n
http/tests/security/xssAuditor/javascript-link-url-encoded.html\n\n
* bindings/js/ScriptController.cpp:\n
(WebCore::ScriptController::evaluate): Moved call to \n
XSSAuditor::canEvaluateJavaScriptURL into
FrameLoader::executeIfJavaScriptURL.\n *
bindings/v8/ScriptController.cpp:\n
(WebCore::ScriptController::evaluate): Ditto.\n *
loader/FrameLoader.cpp:\n
(WebCore::FrameLoader::executeIfJavaScriptURL): Modified to call \n
XSSAuditor::canEvaluateJavaScriptURL on the JavaScript URL before it is\n
decoded.\n2009-09-22 Daniel Bates <dbates at webkit.org>\n\n Reviewed by
Adam Barth.\n\n https://bugs.webkit.org/show_bug.cgi?id=29523\n
\n Tests that JavaScript URLs that were URL-encoded twice do not bypass
the XSSAuditor.\n\n *
http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
Added.\n *
http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html: Added.\n
*
http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
Added.\n *
http/tests/security/xssAuditor/javascript-link-url-encoded.html: Added.\n']"
exit_code: 1 cwd: None
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list