Skip to content
  • dbates@webkit.org's avatar
    XSS filter bypass via non-standard URL encoding · adf5c3c2
    dbates@webkit.org authored
    https://bugs.webkit.org/show_bug.cgi?id=66588
    
    Reviewed by Adam Barth.
    
    Source/WebCore: 
    
    Tests: http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair.html
           http/tests/security/xssAuditor/script-tag-with-16bit-unicode.html
           http/tests/security/xssAuditor/script-tag-with-16bit-unicode2.html
           http/tests/security/xssAuditor/script-tag-with-16bit-unicode3.html
           http/tests/security/xssAuditor/script-tag-with-16bit-unicode4.html
           http/tests/security/xssAuditor/script-tag-with-16bit-unicode5.html
           http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode.html
           http/tests/security/xssAuditor/window-open-without-url-should-not-assert.html
    
    Implement support for decoding non-standard 16-bit Unicode escape sequences of
    the form %u26C4 as described in <http://www.w3.org/International/iri-edit/draft-duerst-iri.html#anchor29>.
    
    See also <http://en.wikipedia.org/wiki/Percent-encoding#Non-standard_implementations>.
    
    * GNUmakefile.list.am: Added DecodeEscapeSequences.h.
    * WebCore.gypi: Ditto.
    * WebCore.pro: Ditto.
    * WebCore.vcproj/WebCore.vcproj: Ditto.
    * WebCore.xcodeproj/project.pbxproj: Ditto.
    * html/parser/XSSAuditor.cpp:
    (WebCore::decode16BitUnicodeEscapeSequences): Added.
    (WebCore::decodeStandardURLEscapeSequences): Added.
    (WebCore::fullyDecodeString): Modified to call decode16BitUnicodeEscapeSequences().
    (WebCore::XSSAuditor::init): Modified to return early when the URL of the document
    is the empty string. This can happen when opening a new browser window or calling
    window.open("").
    * platform/KURL.cpp:
    (WebCore::decodeURLEscapeSequences): Abstracted code into template-function decodeEscapeSequences().
    This function just calls decodeEscapeSequences<URLEscapeSequence>().
    * platform/text/DecodeEscapeSequences.h: Added.
    (WebCore::Unicode16BitEscapeSequence::findInString):
    (WebCore::Unicode16BitEscapeSequence::matchStringPrefix):
    (WebCore::Unicode16BitEscapeSequence::decodeRun):
    (WebCore::URLEscapeSequence::findInString):
    (WebCore::URLEscapeSequence::matchStringPrefix):
    (WebCore::URLEscapeSequence::decodeRun):
    (WebCore::decodeEscapeSequences):
    
    LayoutTests: 
    
    Add tests for decoding non-standard 16-bit Unicode escape sequences.
    
    Also add a test to ensure that we don't cause an assertion failure when
    calling window.open("").
    
    * http/tests/security/xssAuditor/resources/echo-intertag-decode-16bit-unicode.pl: Added.
    (isUTF16Surrogate):
    (decodeRunOf16BitUnicodeEscapeSequences):
    (decode16BitUnicodeEscapeSequences):
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-expected.txt: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair-expected.txt: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode-surrogate-pair.html: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode.html: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode2-expected.txt: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode2.html: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode3-expected.txt: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode3.html: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4-expected.txt: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode4.html: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5-expected.txt: Added.
    * http/tests/security/xssAuditor/script-tag-with-16bit-unicode5.html: Added.
    * http/tests/security/xssAuditor/script-tag-with-fancy-unicode-expected.txt: Updated expected
    result since we now pass this test. We should rename this file to something more descriptive,
    see <https://bugs.webkit.org/show_bug.cgi?id=67818>.
    * http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode-expected.txt: Added.
    * http/tests/security/xssAuditor/script-tag-with-three-times-url-encoded-16bit-unicode.html: Added.
    * http/tests/security/xssAuditor/window-open-without-url-should-not-assert-expected.txt: Added.
    * http/tests/security/xssAuditor/window-open-without-url-should-not-assert.html: Added.
    
    
    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@94828 268f45cc-cd09-0410-ab3c-d52691b4dbfc
    adf5c3c2