Closed Bug 404252 Opened 15 years ago Closed 15 years ago

Potential XSS vulnerability because of U+0008 being treated as whitespace

Categories

(Core :: DOM: HTML Parser, defect, P2)

PowerPC
macOS
defect

Tracking

()

VERIFIED FIXED

People

(Reporter: ap, Assigned: mrbkap)

References

Details

(Keywords: fixed1.8.0.15, testcase, verified1.8.1.12, Whiteboard: [sg:moderate] web-site xss filter bypass)

Attachments

(3 files)

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/525.1+ (KHTML, like Gecko) Safari/419.3
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ru; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9

While investigating how bug 381412 affects WebKit, I've noticed a similar issue in Firefox. Because of U+0008 being treated as whitespace, it is possible to disguise dangerous attributes (and possibly elements) as unknown ones.

MSIE and HTML5 spec agree that U+0008 is not whitespace. WebKit had problems that I've just fixed, but I don't know when this fix will be released by Apple.

Reproducible: Always

Steps to Reproduce:
Open the attached test case. Line with "08" should be green. Ideally, all lines should be green, but the other two Firefox failures are in other direction (characters that should be whitespace aren't), so they cannot be used for such an exploit.
Attached file test case
The HTML 4.01 spec agrees, back-space isn't whitespace:
http://www.w3.org/TR/html401/struct/text.html#whitespace

The spec also defines zero-width space (0x200b) as whitespace, but that sounds like it could be dangerous and unexpected for web sites.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9?
Flags: blocking1.8.1.11?
Whiteboard: [sg:low?] web-site xss filter bypass
Whiteboard: [sg:low?] web-site xss filter bypass → [sg:moderate] web-site xss filter bypass
Blocks: xss
Blake, let us know if you need help here.
Assignee: nobody → mrbkap
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Attached patch patch v1Splinter Review
This appears to give us the desired compatibility with IE for backspace. I'm not sure what to do about \v (0x00B), but HTML4 says that \f (0x00C) is whitespace. Johnny, what do you think?
Attachment #294095 - Flags: superreview?
Attachment #294095 - Flags: review?
Attachment #294095 - Flags: superreview?(jst)
Attachment #294095 - Flags: superreview?
Attachment #294095 - Flags: review?(jst)
Attachment #294095 - Flags: review?
Comment on attachment 294095 [details] [diff] [review]
patch v1

r+sr=jst for this. I think for \f and \v we'd probably be best off matching what IE does, and then arguing for making the HTML 5 spec match that as well.
Attachment #294095 - Flags: superreview?(jst)
Attachment #294095 - Flags: superreview+
Attachment #294095 - Flags: review?(jst)
Attachment #294095 - Flags: review+
Fix checked into trunk. I filed bug 409436 on figuring out what to do with \f and \v.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
There were some whitespace differences between the two branches. I verified that this patch is the same by doing |diff -w 1.9patch thispatch| and noticing that none of the added or removed lines showed up.
Attachment #294506 - Flags: review+
Attachment #294506 - Flags: approval1.8.1.12?
Flags: blocking1.8.1.12? → blocking1.8.1.12+
Comment on attachment 294506 [details] [diff] [review]
Patch for the 1.8 branch

approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #294506 - Flags: approval1.8.1.12? → approval1.8.1.12+
Fixed on the 1.8 branch.
Keywords: fixed1.8.1.12
Verified for branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. Repros with 2.0.0.11 cleanly.
Flags: blocking1.8.0.15+
Comment on attachment 294506 [details] [diff] [review]
Patch for the 1.8 branch

a=asac for 1.8.0.15

(unmodified distro patch)
Attachment #294506 - Flags: approval1.8.0.15+
MOZILLA_1_8_0_BRANCH:

Checking in parser/htmlparser/src/nsHTMLTokens.cpp;
/cvsroot/mozilla/parser/htmlparser/src/nsHTMLTokens.cpp,v  <--  nsHTMLTokens.cpp
new revision: 3.273.10.2; previous revision: 3.273.10.1
done
Checking in parser/htmlparser/src/nsScanner.cpp;
/cvsroot/mozilla/parser/htmlparser/src/nsScanner.cpp,v  <--  nsScanner.cpp
new revision: 3.145.12.2; previous revision: 3.145.12.1
done
Keywords: fixed1.8.0.15
Group: security
Flags: in-testsuite?
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008050621 Firefox/3.0pre and the testcase

--> Verified fixed
Status: RESOLVED → VERIFIED
Keywords: testcase
You need to log in before you can comment on or make changes to this bug.