Closed
Bug 404252
Opened 17 years ago
Closed 17 years ago
Potential XSS vulnerability because of U+0008 being treated as whitespace
Categories
(Core :: DOM: HTML Parser, defect, P2)
Tracking
()
VERIFIED
FIXED
People
(Reporter: ap, Assigned: mrbkap)
References
Details
(Keywords: fixed1.8.0.15, testcase, verified1.8.1.12, Whiteboard: [sg:moderate] web-site xss filter bypass)
Attachments
(3 files)
2.06 KB,
text/html
|
Details | |
6.02 KB,
patch
|
jst
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
6.15 KB,
patch
|
mrbkap
:
review+
dveditz
:
approval1.8.1.12+
asac
:
approval1.8.0.next+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/525.1+ (KHTML, like Gecko) Safari/419.3 Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ru; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9 While investigating how bug 381412 affects WebKit, I've noticed a similar issue in Firefox. Because of U+0008 being treated as whitespace, it is possible to disguise dangerous attributes (and possibly elements) as unknown ones. MSIE and HTML5 spec agree that U+0008 is not whitespace. WebKit had problems that I've just fixed, but I don't know when this fix will be released by Apple. Reproducible: Always Steps to Reproduce: Open the attached test case. Line with "08" should be green. Ideally, all lines should be green, but the other two Firefox failures are in other direction (characters that should be whitespace aren't), so they cannot be used for such an exploit.
Reporter | ||
Comment 1•17 years ago
|
||
Comment 2•17 years ago
|
||
The HTML 4.01 spec agrees, back-space isn't whitespace: http://www.w3.org/TR/html401/struct/text.html#whitespace The spec also defines zero-width space (0x200b) as whitespace, but that sounds like it could be dangerous and unexpected for web sites.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Updated•17 years ago
|
Flags: blocking1.9?
Flags: blocking1.8.1.11?
Whiteboard: [sg:low?] web-site xss filter bypass
Updated•17 years ago
|
Whiteboard: [sg:low?] web-site xss filter bypass → [sg:moderate] web-site xss filter bypass
Blake, let us know if you need help here.
Assignee: nobody → mrbkap
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Assignee | ||
Comment 4•17 years ago
|
||
This appears to give us the desired compatibility with IE for backspace. I'm not sure what to do about \v (0x00B), but HTML4 says that \f (0x00C) is whitespace. Johnny, what do you think?
Attachment #294095 -
Flags: superreview?
Attachment #294095 -
Flags: review?
Assignee | ||
Updated•17 years ago
|
Attachment #294095 -
Flags: superreview?(jst)
Attachment #294095 -
Flags: superreview?
Attachment #294095 -
Flags: review?(jst)
Attachment #294095 -
Flags: review?
Comment 5•17 years ago
|
||
Comment on attachment 294095 [details] [diff] [review] patch v1 r+sr=jst for this. I think for \f and \v we'd probably be best off matching what IE does, and then arguing for making the HTML 5 spec match that as well.
Attachment #294095 -
Flags: superreview?(jst)
Attachment #294095 -
Flags: superreview+
Attachment #294095 -
Flags: review?(jst)
Attachment #294095 -
Flags: review+
Assignee | ||
Comment 6•17 years ago
|
||
Fix checked into trunk. I filed bug 409436 on figuring out what to do with \f and \v.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Assignee | ||
Comment 7•17 years ago
|
||
There were some whitespace differences between the two branches. I verified that this patch is the same by doing |diff -w 1.9patch thispatch| and noticing that none of the added or removed lines showed up.
Attachment #294506 -
Flags: review+
Attachment #294506 -
Flags: approval1.8.1.12?
Updated•17 years ago
|
Flags: blocking1.8.1.12? → blocking1.8.1.12+
Comment 8•17 years ago
|
||
Comment on attachment 294506 [details] [diff] [review] Patch for the 1.8 branch approved for 1.8.1.12, a=dveditz for release-drivers
Attachment #294506 -
Flags: approval1.8.1.12? → approval1.8.1.12+
Comment 10•17 years ago
|
||
Verified for branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. Repros with 2.0.0.11 cleanly.
Keywords: fixed1.8.1.12 → verified1.8.1.12
Updated•16 years ago
|
Flags: blocking1.8.0.15+
Comment 11•16 years ago
|
||
Comment on attachment 294506 [details] [diff] [review] Patch for the 1.8 branch a=asac for 1.8.0.15 (unmodified distro patch)
Attachment #294506 -
Flags: approval1.8.0.15+
Comment 12•16 years ago
|
||
MOZILLA_1_8_0_BRANCH: Checking in parser/htmlparser/src/nsHTMLTokens.cpp; /cvsroot/mozilla/parser/htmlparser/src/nsHTMLTokens.cpp,v <-- nsHTMLTokens.cpp new revision: 3.273.10.2; previous revision: 3.273.10.1 done Checking in parser/htmlparser/src/nsScanner.cpp; /cvsroot/mozilla/parser/htmlparser/src/nsScanner.cpp,v <-- nsScanner.cpp new revision: 3.145.12.2; previous revision: 3.145.12.1 done
Keywords: fixed1.8.0.15
Updated•16 years ago
|
Group: security
Flags: in-testsuite?
Comment 13•16 years ago
|
||
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008050621 Firefox/3.0pre and the testcase --> Verified fixed
Status: RESOLVED → VERIFIED
Keywords: testcase
You need to log in
before you can comment on or make changes to this bug.
Description
•