[Webkit-unassigned] [Bug 66588] XSS filter bypass via non-standard URL encoding
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Sat Sep 3 22:06:46 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=66588
--- Comment #8 from Daniel Bates <dbates at webkit.org> 2011-09-03 22:06:46 PST ---
(In reply to comment #3)
> (From update of attachment 106094 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=106094&action=review
>
> >> Source/WebCore/html/parser/XSSAuditor.cpp:119
> >> +static inline String decodeFancyUnicodeEscapeSequences(const String& string)
> >
> > Love the name.
>
> Might call it decode16BitUnicodeEscapeSequences.
Will rename.
>
> > Source/WebCore/html/parser/XSSAuditor.cpp:135
> > String decodedString = decoder->encoding().decode(workingStringUTF8.data(), workingStringUTF8.length());
>
> We know this can't work. OK for now, but the decoding has to happen inside decodeURLEscapeSequences so maybe pass it the decoder.
Will remove and instead pass text encoding to decodeURLEscapeSequences().
>
> > Source/WebCore/platform/text/DecodeEscapeSequences.h:62
> > + *p++ = (hexDigitValue(run[2]) << 12) | (hexDigitValue(run[3]) << 8) | (hexDigitValue(run[4]) << 4) | hexDigitValue(run[5]);
>
> *p is a char, but you're assigning 16 bit value to it.
>
Will fix.
> > Source/WebCore/platform/text/DecodeEscapeSequences.h:112
> > + String decoded = (encoding.isValid() ? encoding : UTF8Encoding()).decode(buffer.data(), numBytesWritten);
>
> There's a difference between the 8bit version where the %-escapes are interepreted relative to an encoding vs. the %u-style escapes, which are expected to represent a unicode code point no matter what the encoding and shouldn't get decoded. I think your palceDecodedRunInBuffer needs to be passed the encoding so it can decide whether to do this or not, with the output buffer being a String (or UChar equivalent).
Will rename placeDecodedRunInBuffer() to decodeRun(), have it take as input a text encoding, and have it return a String object.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list