Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(4)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 205243002: XSSAuditor bypass with script tag and expression following injection point (Closed)

Created:
6 years, 9 months ago by Tom Sepez
Modified:
6 years, 9 months ago
Reviewers:
abarth-chromium
CC:
blink-reviews
Visibility:
Public.

Description

This patch fixes a corner case in the XSSAuditor where the attacker can use an organically-occurring script tag to bypass the auditor. The trick is that injection<script>expr may be parsed by JS as (injection < script) > expr. BUG=354109 Committed: https://src.chromium.org/viewvc/blink?view=rev&revision=169697

Patch Set 1 #

Patch Set 2 : Add code patch. #

Patch Set 3 : guard against no lastNonSpacePosition found. #

Total comments: 5

Patch Set 4 : Incorporate dbates's suggestions. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+47 lines, -14 lines) Patch
M LayoutTests/http/tests/security/xssAuditor/resources/echo-intertag.pl View 1 1 chunk +4 lines, -1 line 0 comments Download
A + LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows.html View 1 chunk +1 line, -1 line 0 comments Download
A LayoutTests/http/tests/security/xssAuditor/script-tag-expression-follows-expected.txt View 1 1 chunk +2 lines, -0 lines 0 comments Download
A + LayoutTests/http/tests/security/xssAuditor/script-tag-near-start.html View 1 2 3 1 chunk +1 line, -1 line 0 comments Download
A LayoutTests/http/tests/security/xssAuditor/script-tag-near-start-expected.txt View 1 2 3 1 chunk +2 lines, -0 lines 0 comments Download
M Source/core/html/parser/XSSAuditor.cpp View 1 2 3 5 chunks +37 lines, -11 lines 0 comments Download

Messages

Total messages: 23 (0 generated)
Tom Sepez
Adam, please take a look.
6 years, 9 months ago (2014-03-19 22:22:44 UTC) #1
abarth-chromium
lgtm
6 years, 9 months ago (2014-03-19 22:29:10 UTC) #2
Tom Sepez
The CQ bit was checked by tsepez@chromium.org
6 years, 9 months ago (2014-03-19 23:39:06 UTC) #3
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tsepez@chromium.org/205243002/40001
6 years, 9 months ago (2014-03-19 23:39:14 UTC) #4
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
6 years, 9 months ago (2014-03-20 00:49:25 UTC) #5
commit-bot: I haz the power
Try jobs failed on following builders: tryserver.blink on linux_blink_dbg
6 years, 9 months ago (2014-03-20 00:49:25 UTC) #6
Tom Sepez
The CQ bit was checked by tsepez@chromium.org
6 years, 9 months ago (2014-03-20 16:49:18 UTC) #7
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tsepez@chromium.org/205243002/40001
6 years, 9 months ago (2014-03-20 16:49:22 UTC) #8
dbates
I'm not a reviewer and I know this patch was already reviewed. I noticed some ...
6 years, 9 months ago (2014-03-20 17:39:34 UTC) #9
Tom Sepez
The CQ bit was unchecked by tsepez@chromium.org
6 years, 9 months ago (2014-03-20 17:48:41 UTC) #10
Tom Sepez
Thanks Dan, I'll clean up the nits and try your test.
6 years, 9 months ago (2014-03-20 17:49:09 UTC) #11
Tom Sepez
Note that I had to change "<script>";alert() in your test to "<script>"-alert() to get around ...
6 years, 9 months ago (2014-03-20 18:22:26 UTC) #12
Tom Sepez
The CQ bit was checked by tsepez@chromium.org
6 years, 9 months ago (2014-03-20 18:22:40 UTC) #13
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tsepez@chromium.org/205243002/60001
6 years, 9 months ago (2014-03-20 18:22:42 UTC) #14
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
6 years, 9 months ago (2014-03-20 19:58:49 UTC) #15
commit-bot: I haz the power
Try jobs failed on following builders: tryserver.blink on win_blink_rel
6 years, 9 months ago (2014-03-20 19:58:49 UTC) #16
Tom Sepez
The CQ bit was checked by tsepez@chromium.org
6 years, 9 months ago (2014-03-20 20:49:57 UTC) #17
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tsepez@chromium.org/205243002/60001
6 years, 9 months ago (2014-03-20 20:50:00 UTC) #18
commit-bot: I haz the power
The CQ bit was unchecked by commit-bot@chromium.org
6 years, 9 months ago (2014-03-20 20:52:02 UTC) #19
commit-bot: I haz the power
Try jobs failed on following builders: tryserver.blink on win_blink_rel
6 years, 9 months ago (2014-03-20 20:52:03 UTC) #20
Tom Sepez
The CQ bit was checked by tsepez@chromium.org
6 years, 9 months ago (2014-03-20 20:58:36 UTC) #21
commit-bot: I haz the power
CQ is trying da patch. Follow status at https://chromium-status.appspot.com/cq/tsepez@chromium.org/205243002/60001
6 years, 9 months ago (2014-03-20 20:58:42 UTC) #22
commit-bot: I haz the power
6 years, 9 months ago (2014-03-20 21:50:39 UTC) #23
Message was sent while issue was closed. 
Change committed as 169697

Powered by Google App Engine
This is Rietveld 408576698