[Webkit-unassigned] [Bug 29523] [XSSAuditor] JavaScript URLs that are URL-encoded twice can by bypass the XSSAuditor

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Sep 22 20:14:30 PDT 2009 

https://bugs.webkit.org/show_bug.cgi?id=29523


Daniel Bates <dbates at webkit.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #39828|                            |commit-queue-
               Flag|                            |




--- Comment #9 from Daniel Bates <dbates at webkit.org>  2009-09-22 20:14:30 PDT ---
(From update of attachment 39828)
Rejecting patch 39828 from commit-queue.

This patch will require manual commit. Failed to run "['svn', 'commit', '-m',
'2009-09-22  Daniel Bates  <dbates at webkit.org>\n\n        Reviewed by Adam
Barth.\n\n        https://bugs.webkit.org/show_bug.cgi?id=29523\n        \n    
   Fixes an issue where a JavaScript URL that was URL-encoded twice can bypass
the\n        XSSAuditor.\n        \n        The method
FrameLoader::executeIfJavaScriptURL decodes the URL escape \n        sequences
in a JavaScript URL before it is eventually passed to the XSSAuditor.\n       
Because the XSSAuditor also decodes the URL escape sequences as part of its\n  
     canonicalization, the double decoding of a JavaScript URL would\n       
not match the canonicalization of the input parameters.\n\n        Tests:
http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html\n        
      http/tests/security/xssAuditor/javascript-link-url-encoded.html\n\n      
 * bindings/js/ScriptController.cpp:\n       
(WebCore::ScriptController::evaluate): Moved call to \n       
XSSAuditor::canEvaluateJavaScriptURL into
FrameLoader::executeIfJavaScriptURL.\n        *
bindings/v8/ScriptController.cpp:\n       
(WebCore::ScriptController::evaluate): Ditto.\n        *
loader/FrameLoader.cpp:\n       
(WebCore::FrameLoader::executeIfJavaScriptURL): Modified to call \n       
XSSAuditor::canEvaluateJavaScriptURL on the JavaScript URL before it is\n      
 decoded.\n2009-09-22  Daniel Bates  <dbates at webkit.org>\n\n        Reviewed by
Adam Barth.\n\n        https://bugs.webkit.org/show_bug.cgi?id=29523\n       
\n        Tests that JavaScript URLs that were URL-encoded twice do not bypass
the XSSAuditor.\n\n        *
http/tests/security/xssAuditor/iframe-javascript-url-url-encoded-expected.txt:
Added.\n        *
http/tests/security/xssAuditor/iframe-javascript-url-url-encoded.html: Added.\n
       *
http/tests/security/xssAuditor/javascript-link-url-encoded-expected.txt:
Added.\n        *
http/tests/security/xssAuditor/javascript-link-url-encoded.html: Added.\n']" 
exit_code: 1  cwd: None

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list