[Webkit-unassigned] [Bug 68094] xssauditor - script block ending in comment can bypass auditor.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 21 14:42:10 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68094
--- Comment #12 from Adam Barth <abarth at webkit.org> 2011-09-21 14:42:10 PST ---
(From update of attachment 108232)
View in context: https://bugs.webkit.org/attachment.cgi?id=108232&action=review
> Source/WebCore/html/parser/XSSAuditor.cpp:311
> + int start = 0;
> + int end = token.endIndex() - token.startIndex();
snippetForRange doesn't use the same indicies as token.startIndex? I guess this is the same way the code used to work. (Also, these indicies should probably all be size_t, but that's a yak for another day.)
> Source/WebCore/html/parser/XSSAuditor.cpp:313
> + if (isContainedInRequest(fullyDecodeString(snippet, decoder))) {
I see, we're not requiring the two pieces to be contiguous in the request. Is that intentional? I guess the code fragment isn't necessarily at the beginning of the script.
> Source/WebCore/html/parser/XSSAuditor.cpp:542
> +String XSSAuditor::extractCodeFragment(const String& string)
If this is specific to JavaScript, maybe we should call it snippetForJavaScript ?
> Source/WebCore/html/parser/XSSAuditor.cpp:548
> + size_t foundPosition;
I would initialize this scalar with notFound, but that's just because I'm paranoid.
> Source/WebCore/html/parser/XSSAuditor.cpp:561
> + if (string.substring(startPosition, 4) == "<!--") {
> + while (startPosition < endPosition && string[startPosition] != '\r' && string[startPosition] != '\n')
> + startPosition++;
> + while (startPosition < endPosition && isHTMLSpace(string[startPosition]))
> + startPosition++;
> + }
I'm not sure why this is a special case. It seems like we could just fold this into the following loop. <!-- is really the same thing as //.
> Source/WebCore/html/parser/XSSAuditor.cpp:566
> + if (string.substring(startPosition, 2) == "//") {
Here too we're doing a malloc for each character we scan. This might be worth adding to WTFString.
> Source/WebCore/html/parser/XSSAuditor.cpp:568
> + while (startPosition < endPosition && string[startPosition] != '\r' && string[startPosition] != '\n')
> + startPosition++;
Maybe have an inline function to test for isLinebreak ?
> Source/WebCore/html/parser/XSSAuditor.cpp:584
> + foundPosition = startPosition + kMaximumFragmentLength;
So, kMaximumFragmentLength isn't really the maximum. It's some sort of target for the maximum.
> Source/WebCore/html/parser/XSSAuditor.cpp:595
> + // Stop at next comment.
> + if ((foundPosition = string.find("//", startPosition, endPosition - startPosition)) != notFound)
> + endPosition = foundPosition;
> + if ((foundPosition = string.find("/*", startPosition, endPosition - startPosition)) != notFound)
> + endPosition = foundPosition;
We should probably stop at the first <!-- too. In JavaScript <!-- is just like //.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list