[Webkit-unassigned] [Bug 66588] XSS filter bypass via non-standard URL encoding

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat Sep 3 22:06:46 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=66588





--- Comment #8 from Daniel Bates <dbates at webkit.org>  2011-09-03 22:06:46 PST ---
(In reply to comment #3)
> (From update of attachment 106094 [details])
> View in context: https://bugs.webkit.org/attachment.cgi?id=106094&action=review
> 
> >> Source/WebCore/html/parser/XSSAuditor.cpp:119
> >> +static inline String decodeFancyUnicodeEscapeSequences(const String& string)
> > 
> > Love the name.
> 
> Might call it decode16BitUnicodeEscapeSequences.

Will rename.

> 
> > Source/WebCore/html/parser/XSSAuditor.cpp:135
> >          String decodedString = decoder->encoding().decode(workingStringUTF8.data(), workingStringUTF8.length());
> 
> We know this can't work.  OK for now, but the decoding has to happen inside decodeURLEscapeSequences so maybe pass it the decoder.

Will remove and instead pass text encoding to decodeURLEscapeSequences().

> 
> > Source/WebCore/platform/text/DecodeEscapeSequences.h:62
> > +            *p++ = (hexDigitValue(run[2]) << 12) | (hexDigitValue(run[3]) << 8) | (hexDigitValue(run[4]) << 4) | hexDigitValue(run[5]);
> 
> *p is a char, but you're assigning 16 bit value to it.
> 

Will fix.

> > Source/WebCore/platform/text/DecodeEscapeSequences.h:112
> > +        String decoded = (encoding.isValid() ? encoding : UTF8Encoding()).decode(buffer.data(), numBytesWritten);
> 
> There's a difference between the 8bit version where the %-escapes are interepreted relative to an encoding vs. the %u-style escapes, which are expected to represent a unicode code point no matter what the encoding and shouldn't get decoded.  I think your palceDecodedRunInBuffer needs to be passed the encoding so it can decide whether to do this or not, with the output buffer being a String (or UChar equivalent).

Will rename placeDecodedRunInBuffer() to decodeRun(), have it take as input a text encoding, and have it return a String object.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list