[Webkit-unassigned] [Bug 68094] xssauditor - script block ending in comment can bypass auditor.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 21 10:48:29 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68094
--- Comment #7 from Thomas Sepez <tsepez at chromium.org> 2011-09-21 10:48:29 PST ---
I still think we can't stop at the first comment as we do for inline handlers, since it is so common for legitimate script blocks to start with comments; doing so would cause any <script> in the URL to match, making it too noisy. And having found the code, comparing it and the script tag in two comparisons against the URL seems to do a good job here (as it turns out, it happens to catch the case in the "wontfix bug" but that was not the intent).
I'm thinking that it is OK to eliminate the quote balancing when looking for the end of the code fragment. I wanted to avoid stopping on something like "http://", but since legitimate code will have something before the string literal, we probably have enough signal even if we do stop there. If you throw that requirement out, then it becomes more practical to do this via a series of finds() since you're not worried about the context. Simpler, in some sense, but less elegant and slower. I'd expect that most of the code in here would reduce to state machines if we wanted to grease it ...
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list