[Webkit-unassigned] [Bug 66588] XSS filter bypass via non-standard URL encoding

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Sep 2 11:20:15 PDT 2011


--- Comment #3 from Thomas Sepez <tsepez at chromium.org>  2011-09-02 11:20:15 PST ---
(From update of attachment 106094)
View in context: https://bugs.webkit.org/attachment.cgi?id=106094&action=review

>> Source/WebCore/html/parser/XSSAuditor.cpp:119
>> +static inline String decodeFancyUnicodeEscapeSequences(const String& string)
> Love the name.

Might call it decode16BitUnicodeEscapeSequences.

> Source/WebCore/html/parser/XSSAuditor.cpp:135
>          String decodedString = decoder->encoding().decode(workingStringUTF8.data(), workingStringUTF8.length());

We know this can't work.  OK for now, but the decoding has to happen inside decodeURLEscapeSequences so maybe pass it the decoder.

> Source/WebCore/platform/text/DecodeEscapeSequences.h:62
> +            *p++ = (hexDigitValue(run[2]) << 12) | (hexDigitValue(run[3]) << 8) | (hexDigitValue(run[4]) << 4) | hexDigitValue(run[5]);

*p is a char, but you're assigning 16 bit value to it.

> Source/WebCore/platform/text/DecodeEscapeSequences.h:112
> +        String decoded = (encoding.isValid() ? encoding : UTF8Encoding()).decode(buffer.data(), numBytesWritten);

There's a difference between the 8bit version where the %-escapes are interepreted relative to an encoding vs. the %u-style escapes, which are expected to represent a unicode code point no matter what the encoding and shouldn't get decoded.  I think your palceDecodedRunInBuffer needs to be passed the encoding so it can decide whether to do this or not, with the output buffer being a String (or UChar equivalent).

Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list