2009-07-08 Daniel Bates <dbates@intudata.com>
authorAdam Barth <abarth@webkit.org>
Wed, 8 Jul 2009 21:27:09 +0000 (21:27 +0000)
committerAdam Barth <abarth@webkit.org>
Wed, 8 Jul 2009 21:27:09 +0000 (21:27 +0000)
commit564f39c65fdd9f338598d8f047893c0a1aafae60
treeb158540f2965476fab550456d5f1a1ab62369a7a
parenta83d7f0f30e7bd07174603eb45e6f9adbddea195
2009-07-08  Daniel Bates  <dbates@intudata.com>

        Reviewed by Adam Barth.

        https://bugs.webkit.org/show_bug.cgi?id=27071

        Resolves issue when HTTP parameters contain null- and  non-null-control- characters.

        Tests: http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char.html
               http/tests/security/xssAuditor/embed-tag-control-char.html
               http/tests/security/xssAuditor/embed-tag-null-char.html
               http/tests/security/xssAuditor/embed-tag.html
               http/tests/security/xssAuditor/link-onclick-control-char.html
               http/tests/security/xssAuditor/link-onclick-null-char.html
               http/tests/security/xssAuditor/object-embed-tag-control-char.html
               http/tests/security/xssAuditor/object-embed-tag-null-char.html
               http/tests/security/xssAuditor/object-embed-tag.html
               http/tests/security/xssAuditor/object-tag.html
               http/tests/security/xssAuditor/script-tag-post-control-char.html
               http/tests/security/xssAuditor/script-tag-post-null-char.html
               http/tests/security/xssAuditor/script-tag-with-source-control-char.html
               http/tests/security/xssAuditor/script-tag-with-source-null-char.html

        * page/XSSAuditor.cpp:
        (WebCore::isNonNullControlCharacter): Called by XSSAuditor::decodeURL.
        (WebCore::XSSAuditor::canEvaluate):
        (WebCore::XSSAuditor::canCreateInlineEventListener):
        (WebCore::XSSAuditor::canLoadObject):
        (WebCore::XSSAuditor::decodeURL): Added parameters matchNullCharacters,
        and matchNonNullControlCharacters.
        (WebCore::XSSAuditor::findInRequest): Added parameters matchNullCharacters,
        and matchNonNullControlCharacters.
        * page/XSSAuditor.h:

2009-07-08  Daniel Bates  <dbates@intudata.com>

        Reviewed by Adam Barth.

        https://bugs.webkit.org/show_bug.cgi?id=27071

        Tests that HTTP parameters that contain null- and non-null-control characters are
        properly handled by XSSAuditor.

        * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt: Added.
        * http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char.html: Added.
        * http/tests/security/xssAuditor/embed-tag-control-char-expected.txt: Added.
        * http/tests/security/xssAuditor/embed-tag-control-char.html: Added.
        * http/tests/security/xssAuditor/embed-tag-expected.txt: Added.
        * http/tests/security/xssAuditor/embed-tag-null-char-expected.txt: Added.
        * http/tests/security/xssAuditor/embed-tag-null-char.html: Added.
        * http/tests/security/xssAuditor/embed-tag.html: Added.
        * http/tests/security/xssAuditor/link-onclick-control-char-expected.txt: Added.
        * http/tests/security/xssAuditor/link-onclick-control-char.html: Added.
        * http/tests/security/xssAuditor/link-onclick-null-char-expected.txt: Added.
        * http/tests/security/xssAuditor/link-onclick-null-char.html: Added.
        * http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt: Added.
        * http/tests/security/xssAuditor/object-embed-tag-control-char.html: Added.
        * http/tests/security/xssAuditor/object-embed-tag-expected.txt: Added.
        * http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt: Added.
        * http/tests/security/xssAuditor/object-embed-tag-null-char.html: Added.
        * http/tests/security/xssAuditor/object-embed-tag.html: Added.
        * http/tests/security/xssAuditor/object-tag-expected.txt: Added.
        * http/tests/security/xssAuditor/object-tag.html: Added.
        * http/tests/security/xssAuditor/resources/execGetURL.swf: Added.
        * http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt: Added.
        * http/tests/security/xssAuditor/script-tag-post-control-char.html: Added.
        * http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt: Added.
        * http/tests/security/xssAuditor/script-tag-post-null-char.html: Added.
        * http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt: Added.
        * http/tests/security/xssAuditor/script-tag-with-source-control-char.html: Added.
        * http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt: Added.
        * http/tests/security/xssAuditor/script-tag-with-source-null-char.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@45639 268f45cc-cd09-0410-ab3c-d52691b4dbfc
32 files changed:
LayoutTests/ChangeLog
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/anchor-url-dom-write-location-inline-event-null-char.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/embed-tag-control-char.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/embed-tag-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/embed-tag-null-char.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/embed-tag.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/link-onclick-control-char.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/link-onclick-null-char.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-control-char.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/object-embed-tag-null-char.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/object-embed-tag.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/object-tag-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/object-tag.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-post-control-char.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-post-null-char.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-control-char.html [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char-expected.txt [new file with mode: 0644]
LayoutTests/http/tests/security/xssAuditor/script-tag-with-source-null-char.html [new file with mode: 0644]
WebCore/ChangeLog
WebCore/page/XSSAuditor.cpp
WebCore/page/XSSAuditor.h