2010-01-28 Adam Barth <abarth@webkit.org>

Reviewed by David Levin. Remove XSSAuditor false positive for Google Translate https://bugs.webkit.org/show_bug.cgi?id=34242 Add a test that we allow attackers to inject directly into the href property of the base tag. * http/tests/security/xssAuditor/base-href-direct-expected.txt: Added. * http/tests/security/xssAuditor/base-href-direct.html: Added. * http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl: Added. 2010-01-28 Adam Barth <abarth@webkit.org> Reviewed by David Levin. Remove XSSAuditor false positive for Google Translate https://bugs.webkit.org/show_bug.cgi?id=34242 Google translate takes a base URL as a parameter, causing a false positive in the XSS filter. This patch removes the false positive by allowing direct injections into the href property of the base tag. Test: http/tests/security/xssAuditor/base-href-direct.html * page/XSSAuditor.cpp: (WebCore::XSSAuditor::canSetBaseElementURL): git-svn-id: svn://svn.chromium.org/blink/trunk@54010 bbb929c8-8fbe-4397-9dbb-9b2b20218538

2010-01-28 Adam Barth <abarth@webkit.org>
Reviewed by David Levin. Remove XSSAuditor false positive for Google Translate https://bugs.webkit.org/show_bug.cgi?id=34242 Add a test that we allow attackers to inject directly into the href property of the base tag. * http/tests/security/xssAuditor/base-href-direct-expected.txt: Added. * http/tests/security/xssAuditor/base-href-direct.html: Added. * http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl: Added. 2010-01-28 Adam Barth <abarth@webkit.org> Reviewed by David Levin. Remove XSSAuditor false positive for Google Translate https://bugs.webkit.org/show_bug.cgi?id=34242 Google translate takes a base URL as a parameter, causing a false positive in the XSS filter. This patch removes the false positive by allowing direct injections into the href property of the base tag. Test: http/tests/security/xssAuditor/base-href-direct.html * page/XSSAuditor.cpp: (WebCore::XSSAuditor::canSetBaseElementURL): git-svn-id: svn://svn.chromium.org/blink/trunk@54010 bbb929c8-8fbe-4397-9dbb-9b2b20218538
f4902b85 · abarth@webkit.org · 715ee841 · f4902b85 · f4902b85 · f4902b85
Commit f4902b85 authored Jan 28, 2010 by abarth@webkit.org
6 changed files
--- a/third_party/WebKit/LayoutTests/ChangeLog
+++ b/third_party/WebKit/LayoutTests/ChangeLog
+2010-01-28  Adam Barth  <abarth@webkit.org>
+        Reviewed by David Levin.
+        Remove XSSAuditor false positive for Google Translate
+        https://bugs.webkit.org/show_bug.cgi?id=34242
+        Add a test that we allow attackers to inject directly into the href
+        property of the base tag.
+        * http/tests/security/xssAuditor/base-href-direct-expected.txt: Added.
+        * http/tests/security/xssAuditor/base-href-direct.html: Added.
+        * http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl: Added.
 2010-01-28  Simon Fraser  <simon.fraser@apple.com>
        Reviewed by Dan Bernstein.
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/base-href-direct-expected.txt
+ALERT: /XSS/
+We allow direct injections into base tags to reduce false positives.
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/base-href-direct.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/base-href-direct.html
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+if (window.layoutTestController) {
+  layoutTestController.dumpAsText();
+  layoutTestController.setXSSAuditorEnabled(true);
+}
+</script>
+</head>
+<body>
+<p>We allow direct injections into base tags to reduce false positives.</p>
+<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-head-base-href-direct.pl?q=http://127.0.0.1:8000/security/xssAuditor/resources/base-href/">
+</iframe>
+</body>
+</html>
--- a/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl
+++ b/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/resources/echo-head-base-href-direct.pl
+#!/usr/bin/perl -wT
+use strict;
+use CGI;
+my $cgi = new CGI;
+print "Content-Type: text/html; charset=UTF-8\n\n";
+print "<!DOCTYPE html>\n";
+print "<html>\n";
+print "<head>\n";
+print "<base href=\"".$cgi->param('q')."\">\n";
+print "</head>\n";
+print "<body>\n";
+print "<script src='safe-script.js'></script>\n";
+print "</body>\n";
+print "</html>\n";
--- a/third_party/WebKit/WebCore/ChangeLog
+++ b/third_party/WebKit/WebCore/ChangeLog
+2010-01-28  Adam Barth  <abarth@webkit.org>
+        Reviewed by David Levin.
+        Remove XSSAuditor false positive for Google Translate
+        https://bugs.webkit.org/show_bug.cgi?id=34242
+        Google translate takes a base URL as a parameter, causing a false
+        positive in the XSS filter.  This patch removes the false positive by
+        allowing direct injections into the href property of the base tag.
+        Test: http/tests/security/xssAuditor/base-href-direct.html
+        * page/XSSAuditor.cpp:
+        (WebCore::XSSAuditor::canSetBaseElementURL):
 2010-01-28  Nikolas Zimmermann  <nzimmermann@rim.com>
        Reviewed by Dirk Schulze.
--- a/third_party/WebKit/WebCore/page/XSSAuditor.cpp
+++ b/third_party/WebKit/WebCore/page/XSSAuditor.cpp
@@ -202,6 +202,7 @@ bool XSSAuditor::canSetBaseElementURL(const String& url) const
    FindTask task;
    task.string = url;
+    task.allowRequestIfNoIllegalURICharacters = true;
    if (findInRequest(task)) {
        DEFINE_STATIC_LOCAL(String, consoleMessage, ("Refused to load from document base URL. URL found within request.\n"));