[Webkit-unassigned] [Bug 67134] New: XSSAuditor bypass under big5 encoding

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Aug 29 10:13:41 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=67134

           Summary: XSSAuditor bypass under big5 encoding
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Keywords: XSSAuditor
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: tsepez at chromium.org
                CC: abarth at webkit.org
            Blocks: 66579


XSSAuditor can be tricked under those encodings where not all bytes of a multibyte character are greater than 0x80.  Big5 is one such example where trailing bytes need only be greater than 0x40.

third_party/WebKit/Source/WebCore/platform/KURLGoogle.cpp: decodeURLEscapeSequences() isn't character-set aware.  So given a single big5 character input like 0xc8 0x5f, this gets transformed into two characters (code points): c8 and 5f, due to the (correct) recovery when trying to interpret this as utf8.

Later, the XSSAuditor removes all non-ascii code points in both the page contents and the URL, so as to be immune to these kinds of misinterpretations when comparing the page contents against the URL. This works well in the cases where a misinterpretation introduces two high-valued characters instead of one high-valued character, as typically happens when all the bytes in the multibyte sequence are greater than 0x80.  But in the example page, it removes the (one) high-valued character, but in the URL removes the first misinterpreted byte but leaves the 5f.  Not having such a character in the page, the match fails.

Correct fix this is to make decodeURLEscapeSequences() encoding-aware (as is the non-G version in KURL.ccp), but this has its own issues as detailed in the comments in KURLGoogle.cpp).

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list