[Webkit-unassigned] [Bug 68094] xssauditor - script block ending in comment can bypass auditor.
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Wed Sep 21 14:57:13 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=68094
--- Comment #14 from Thomas Sepez <tsepez at chromium.org> 2011-09-21 14:57:13 PST ---
(From update of attachment 108232)
View in context: https://bugs.webkit.org/attachment.cgi?id=108232&action=review
>> Source/WebCore/html/parser/XSSAuditor.cpp:311
>> + int end = token.endIndex() - token.startIndex();
>
> snippetForRange doesn't use the same indicies as token.startIndex? I guess this is the same way the code used to work. (Also, these indicies should probably all be size_t, but that's a yak for another day.)
Will leave as is.
>> Source/WebCore/html/parser/XSSAuditor.cpp:313
>> + if (isContainedInRequest(fullyDecodeString(snippet, decoder))) {
>
> I see, we're not requiring the two pieces to be contiguous in the request. Is that intentional? I guess the code fragment isn't necessarily at the beginning of the script.
Yes, we need to deal with an injection like <script>// comment to trick you %0a alert(0) </script> now. We won't include the comment in the snippet we extract.
>> Source/WebCore/html/parser/XSSAuditor.cpp:542
>> +String XSSAuditor::extractCodeFragment(const String& string)
>
> If this is specific to JavaScript, maybe we should call it snippetForJavaScript ?
Sure. Will rename.
>> Source/WebCore/html/parser/XSSAuditor.cpp:548
>> + size_t foundPosition;
>
> I would initialize this scalar with notFound, but that's just because I'm paranoid.
Sure. would like an uninit reference to lead to string[notFound] taking an exception.
>> Source/WebCore/html/parser/XSSAuditor.cpp:561
>> + }
>
> I'm not sure why this is a special case. It seems like we could just fold this into the following loop. <!-- is really the same thing as //.
Ok. My recollection of the spec was that the first instance of <!-- was a comment, but that subsequent ones were <!-- , as in if (a<!--b) {} but I may be wrong here.
>> Source/WebCore/html/parser/XSSAuditor.cpp:566
>> + if (string.substring(startPosition, 2) == "//") {
>
> Here too we're doing a malloc for each character we scan. This might be worth adding to WTFString.
Or just sp + 1 < ep && string[sp] == '/' && string[sp+1] == '/'
>> Source/WebCore/html/parser/XSSAuditor.cpp:568
>> + startPosition++;
>
> Maybe have an inline function to test for isLinebreak ?
Sure.
>> Source/WebCore/html/parser/XSSAuditor.cpp:584
>> + foundPosition = startPosition + kMaximumFragmentLength;
>
> So, kMaximumFragmentLength isn't really the maximum. It's some sort of target for the maximum.
Ok, I'll call it kMaximumFragmentLengthTarget.
>> Source/WebCore/html/parser/XSSAuditor.cpp:595
>> + endPosition = foundPosition;
>
> We should probably stop at the first <!-- too. In JavaScript <!-- is just like //.
Yes, see above.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list