OLD | NEW |
---|---|
1 /* | 1 /* |
2 * Copyright (C) 2011 Adam Barth. All Rights Reserved. | 2 * Copyright (C) 2011 Adam Barth. All Rights Reserved. |
3 * Copyright (C) 2011 Daniel Bates (dbates@intudata.com). | 3 * Copyright (C) 2011 Daniel Bates (dbates@intudata.com). |
4 * | 4 * |
5 * Redistribution and use in source and binary forms, with or without | 5 * Redistribution and use in source and binary forms, with or without |
6 * modification, are permitted provided that the following conditions | 6 * modification, are permitted provided that the following conditions |
7 * are met: | 7 * are met: |
8 * 1. Redistributions of source code must retain the above copyright | 8 * 1. Redistributions of source code must retain the above copyright |
9 * notice, this list of conditions and the following disclaimer. | 9 * notice, this list of conditions and the following disclaimer. |
10 * 2. Redistributions in binary form must reproduce the above copyright | 10 * 2. Redistributions in binary form must reproduce the above copyright |
(...skipping 179 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
190 } | 190 } |
191 | 191 |
192 static void truncateForSrcLikeAttribute(String& decodedSnippet) | 192 static void truncateForSrcLikeAttribute(String& decodedSnippet) |
193 { | 193 { |
194 // In HTTP URLs, characters following the first ?, #, or third slash may com e from | 194 // In HTTP URLs, characters following the first ?, #, or third slash may com e from |
195 // the page itself and can be merely ignored by an attacker's server when a remote | 195 // the page itself and can be merely ignored by an attacker's server when a remote |
196 // script or script-like resource is requested. In DATA URLS, the payload st arts at | 196 // script or script-like resource is requested. In DATA URLS, the payload st arts at |
197 // the first comma, and the the first /*, //, or <!-- may introduce a commen t. Also, | 197 // the first comma, and the the first /*, //, or <!-- may introduce a commen t. Also, |
198 // DATA URLs may use the same string literal tricks as with script content i tself. | 198 // DATA URLs may use the same string literal tricks as with script content i tself. |
199 // In either case, content following this may come from the page and may be ignored | 199 // In either case, content following this may come from the page and may be ignored |
200 // when the script is executed. | 200 // when the script is executed. Also, any of these characters may now be rep resented |
201 // by the (enlarged) set of html5 entities. | |
201 // For simplicity, we don't differentiate based on URL scheme, and stop at t he first | 202 // For simplicity, we don't differentiate based on URL scheme, and stop at t he first |
202 // # or ?, the third slash, or the first slash, <, ', or " once a comma is s een. | 203 // & (since it might be part of an entity for any of the subsequent punctuat ion), the |
204 // first # or ?, the third slash, or the first slash, <, ', or " once a comm a is seen. | |
203 int slashCount = 0; | 205 int slashCount = 0; |
204 bool commaSeen = false; | 206 bool commaSeen = false; |
205 for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++cu rrentLength) { | 207 for (size_t currentLength = 0; currentLength < decodedSnippet.length(); ++cu rrentLength) { |
206 UChar currentChar = decodedSnippet[currentLength]; | 208 UChar currentChar = decodedSnippet[currentLength]; |
207 if (currentChar == '?' | 209 if (currentChar == '&' |
Mike West
2016/04/26 08:10:38
Hrm. This might end up being a little overagressiv
| |
210 || currentChar == '?' | |
208 || currentChar == '#' | 211 || currentChar == '#' |
209 || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++s lashCount > 2)) | 212 || ((currentChar == '/' || currentChar == '\\') && (commaSeen || ++s lashCount > 2)) |
210 || (currentChar == '<' && commaSeen) | 213 || (currentChar == '<' && commaSeen) |
211 || (currentChar == '\'' && commaSeen) | 214 || (currentChar == '\'' && commaSeen) |
212 || (currentChar == '"' && commaSeen)) { | 215 || (currentChar == '"' && commaSeen)) { |
213 decodedSnippet.truncate(currentLength); | 216 decodedSnippet.truncate(currentLength); |
214 return; | 217 return; |
215 } | 218 } |
216 if (currentChar == ',') | 219 if (currentChar == ',') |
217 commaSeen = true; | 220 commaSeen = true; |
(...skipping 566 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
784 } | 787 } |
785 result = canonicalize(string.substring(startPosition, foundPosition - st artPosition), NoTruncation); | 788 result = canonicalize(string.substring(startPosition, foundPosition - st artPosition), NoTruncation); |
786 startPosition = foundPosition + 1; | 789 startPosition = foundPosition + 1; |
787 } | 790 } |
788 | 791 |
789 return result; | 792 return result; |
790 } | 793 } |
791 | 794 |
792 bool XSSAuditor::isContainedInRequest(const String& decodedSnippet) | 795 bool XSSAuditor::isContainedInRequest(const String& decodedSnippet) |
793 { | 796 { |
797 | |
Mike West
2016/04/26 08:10:38
Nit: Newline?
Tom Sepez
2016/04/26 16:00:09
Done.
| |
794 if (decodedSnippet.isEmpty()) | 798 if (decodedSnippet.isEmpty()) |
795 return false; | 799 return false; |
796 if (m_decodedURL.find(decodedSnippet, 0, TextCaseInsensitive) != kNotFound) | 800 if (m_decodedURL.find(decodedSnippet, 0, TextCaseInsensitive) != kNotFound) |
797 return true; | 801 return true; |
798 if (m_decodedHTTPBodySuffixTree && !m_decodedHTTPBodySuffixTree->mightContai n(decodedSnippet)) | 802 if (m_decodedHTTPBodySuffixTree && !m_decodedHTTPBodySuffixTree->mightContai n(decodedSnippet)) |
799 return false; | 803 return false; |
800 return m_decodedHTTPBody.find(decodedSnippet, 0, TextCaseInsensitive) != kNo tFound; | 804 return m_decodedHTTPBody.find(decodedSnippet, 0, TextCaseInsensitive) != kNo tFound; |
801 } | 805 } |
802 | 806 |
803 bool XSSAuditor::isLikelySafeResource(const String& url) | 807 bool XSSAuditor::isLikelySafeResource(const String& url) |
(...skipping 19 matching lines...) Expand all Loading... | |
823 | 827 |
824 bool XSSAuditor::isSafeToSendToAnotherThread() const | 828 bool XSSAuditor::isSafeToSendToAnotherThread() const |
825 { | 829 { |
826 return m_documentURL.isSafeToSendToAnotherThread() | 830 return m_documentURL.isSafeToSendToAnotherThread() |
827 && m_decodedURL.isSafeToSendToAnotherThread() | 831 && m_decodedURL.isSafeToSendToAnotherThread() |
828 && m_decodedHTTPBody.isSafeToSendToAnotherThread() | 832 && m_decodedHTTPBody.isSafeToSendToAnotherThread() |
829 && m_httpBodyAsString.isSafeToSendToAnotherThread(); | 833 && m_httpBodyAsString.isSafeToSendToAnotherThread(); |
830 } | 834 } |
831 | 835 |
832 } // namespace blink | 836 } // namespace blink |
OLD | NEW |