[Webkit-unassigned] [Bug 66588] XSS filter bypass via non-standard URL encoding
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 2 11:20:15 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66588
--- Comment #3 from Thomas Sepez <tsepez at chromium.org> 2011-09-02 11:20:15 PST ---
(From update of attachment 106094)
View in context: https://bugs.webkit.org/attachment.cgi?id=106094&action=review
>> Source/WebCore/html/parser/XSSAuditor.cpp:119
>> +static inline String decodeFancyUnicodeEscapeSequences(const String& string)
>
> Love the name.
Might call it decode16BitUnicodeEscapeSequences.
> Source/WebCore/html/parser/XSSAuditor.cpp:135
> String decodedString = decoder->encoding().decode(workingStringUTF8.data(), workingStringUTF8.length());
We know this can't work. OK for now, but the decoding has to happen inside decodeURLEscapeSequences so maybe pass it the decoder.
> Source/WebCore/platform/text/DecodeEscapeSequences.h:62
> + *p++ = (hexDigitValue(run[2]) << 12) | (hexDigitValue(run[3]) << 8) | (hexDigitValue(run[4]) << 4) | hexDigitValue(run[5]);
*p is a char, but you're assigning 16 bit value to it.
> Source/WebCore/platform/text/DecodeEscapeSequences.h:112
> + String decoded = (encoding.isValid() ? encoding : UTF8Encoding()).decode(buffer.data(), numBytesWritten);
There's a difference between the 8bit version where the %-escapes are interepreted relative to an encoding vs. the %u-style escapes, which are expected to represent a unicode code point no matter what the encoding and shouldn't get decoded. I think your palceDecodedRunInBuffer needs to be passed the encoding so it can decide whether to do this or not, with the output buffer being a String (or UChar equivalent).
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list