[Webkit-unassigned] [Bug 67134] XSSAuditor bypass under big5 encoding
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 7 11:25:42 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=67134
--- Comment #1 from Thomas Sepez <tsepez at chromium.org> 2011-09-07 11:25:42 PST ---
I've written a test for this, but it manifests only under --chromium. There's a happy co-incidence that generally masks this on the KURL.cpp side: namely what happens when a bad sequence is encountered.
As indicated above, the KURLGoogle path is something like:
%c9%5f => 00c9 005f => c3 89 5f => [ c389 big5 char ] 5f => [ hi unicode char ] 5f => 5f
Where each byte of the invalid sequence is passed through as the equivlaent codepoint (after first arrow above).
The KURL path is something like:
%c9%5f => fffd 005f => ef bf bd 5f => [ efbf big 5 char] [ bd5f big5 char] => [hi unicode][hi unicode]=> empty string
where each byte of the invalid sequence is replaced by the unicode replacement character U+fffd.
The co-incidence is that during the KURL case, the replacement codepoint turns into an odd number of utf8 bytes (after the second arrow) but the KURLGoogle replacement code point turns into an even number of utf8 bytes. Hence the byte for the following 5f gets eaten as part of a second big5 character in one case, but gets passed through as-is in the other.
There will be variations involving other charsets that don't hit this happy co-incidence, but this explains why the test case I was working on passed under the normal build.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list