CSP: Harden nonce parsing.

Pesky overrun issues. BUG=430351 Review URL: https://codereview.chromium.org/705663003 git-svn-id: svn://svn.chromium.org/blink/trunk@184859 bbb929c8-8fbe-4397-9dbb-9b2b20218538

CSP: Harden nonce parsing.
Pesky overrun issues. BUG=430351 Review URL: https://codereview.chromium.org/705663003 git-svn-id: svn://svn.chromium.org/blink/trunk@184859 bbb929c8-8fbe-4397-9dbb-9b2b20218538
c50482f8 · mkwst@chromium.org · c6a3d4d7 · c50482f8 · c50482f8 · c50482f8
Commit c50482f8 authored Nov 05, 2014 by mkwst@chromium.org
3 changed files
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce-expected.txt
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'n".
+
+CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce'. It will be ignored.
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce".
+
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-''. It will be ignored.
 CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-'".

+CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce-".
+
+CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src nonce-abcd".
+
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-'. It will be ignored.
 CONSOLE ERROR: The source list for Content Security Policy directive 'script-src' contains an invalid source: '''. It will be ignored.
 CONSOLE ERROR: Refused to load the script 'http://127.0.0.1:8000/security/contentSecurityPolicy/resources/script.js' because it violates the following Content Security Policy directive: "script-src 'nonce- '".
@@ -52,3 +62,23 @@ PASS
 Frame: '<!--framePath //<!--frame5-->-->'
 --------
 PASS
+
+--------
+Frame: '<!--framePath //<!--frame6-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame7-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame8-->-->'
+--------
+PASS
+
+--------
+Frame: '<!--framePath //<!--frame9-->-->'
+--------
+PASS
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scriptnonce-invalidnonce.html
@@ -4,7 +4,11 @@
 <script src='../resources/multiple-iframe-test.js'></script>
 <script>
 var tests = [
+    ['no', 'script-src \'n', 'resources/script.js', ''],
+    ['no', 'script-src \'nonce', 'resources/script.js', ''],
    ['no', 'script-src \'nonce-\'', 'resources/script.js', ''],
+    ['no', 'script-src \'nonce-', 'resources/script.js', ''],
+    ['no', 'script-src nonce-abcd', 'resources/script.js', ''],
    ['no', 'script-src \'nonce- \'', 'resources/script.js', ''],
    ['no', 'script-src \'nonce-     \'', 'resources/script.js', ''],
    ['no', 'script-src \'nonce- nonces have no spaces\'', 'resources/script.js', ''],

--- a/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp
+++ b/third_party/WebKit/Source/core/frame/csp/CSPSourceList.cpp
@@ -260,18 +260,20 @@ bool CSPSourceList::parseSource(const UChar* begin, const UChar* end, String& sc
 //
 bool CSPSourceList::parseNonce(const UChar* begin, const UChar* end, String& nonce)
 {
-    DEFINE_STATIC_LOCAL(const String, noncePrefix, ("'nonce-"));
+    size_t nonceLength = end - begin;
+    const char* prefix = "'nonce-";

-    if (!equalIgnoringCase(noncePrefix.characters8(), begin, noncePrefix.length()))
+    if (nonceLength <= strlen(prefix) || !equalIgnoringCase(prefix, begin, strlen(prefix)))
        return true;

-    const UChar* position = begin + noncePrefix.length();
+    const UChar* position = begin + strlen(prefix);
    const UChar* nonceBegin = position;

+    ASSERT(position < end);
    skipWhile<UChar, isNonceCharacter>(position, end);
    ASSERT(nonceBegin <= position);

-    if ((position + 1) != end || *position != '\'' || !(position - nonceBegin))
+    if (position + 1 != end || *position != '\'' || position == nonceBegin)
        return false;

    nonce = String(nonceBegin, position - nonceBegin);