Closed Bug 404252 Opened 17 years ago Closed 17 years ago

Potential XSS vulnerability because of U+0008 being treated as whitespace

Categories

(Core :: DOM: HTML Parser, defect, P2)

Product:
Core
Component:
DOM: HTML Parser
Platform:
PowerPC
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: ap, Assigned: mrbkap)

References

Details

(Keywords: fixed1.8.0.15, testcase, verified1.8.1.12, Whiteboard: [sg:moderate] web-site xss filter bypass)

Attachments

(3 files)

test case
2.06 KB, text/html
Details
patch v1
6.02 KB, patch
jst
: review+
jst
: superreview+
Details | Diff | Splinter Review
Patch for the 1.8 branch
6.15 KB, patch
mrbkap
: review+
dveditz
: approval1.8.1.12+
asac
: approval1.8.0.next+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/525.1+ (KHTML, like Gecko) Safari/419.3
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; ru; rv:1.8.1.9) Gecko/20071025 Firefox/2.0.0.9

While investigating how bug 381412 affects WebKit, I've noticed a similar issue in Firefox. Because of U+0008 being treated as whitespace, it is possible to disguise dangerous attributes (and possibly elements) as unknown ones.

MSIE and HTML5 spec agree that U+0008 is not whitespace. WebKit had problems that I've just fixed, but I don't know when this fix will be released by Apple.

Reproducible: Always

Steps to Reproduce:
Open the attached test case. Line with "08" should be green. Ideally, all lines should be green, but the other two Firefox failures are in other direction (characters that should be whitespace aren't), so they cannot be used for such an exploit.
Attached file test case 

    
    

    
  
The HTML 4.01 spec agrees, back-space isn't whitespace:
http://www.w3.org/TR/html401/struct/text.html#whitespace

The spec also defines zero-width space (0x200b) as whitespace, but that sounds like it could be dangerous and unexpected for web sites.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9?
Flags: blocking1.8.1.11?
Whiteboard: [sg:low?] web-site xss filter bypass
Whiteboard: [sg:low?] web-site xss filter bypass → [sg:moderate] web-site xss filter bypass

    
  
Blocks: xss

    
    

    
  
Blake, let us know if you need help here.
Assignee: nobody → mrbkap
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v1Splinter Review
      

    


  
This appears to give us the desired compatibility with IE for backspace. I'm not sure what to do about \v (0x00B), but HTML4 says that \f (0x00C) is whitespace. Johnny, what do you think?

        Attachment #294095 -
        Flags: superreview?

        Attachment #294095 -
        Flags: review?

    
  

        Attachment #294095 -
        Flags: superreview?(jst)

        Attachment #294095 -
        Flags: superreview?

        Attachment #294095 -
        Flags: review?(jst)

        Attachment #294095 -
        Flags: review?

    
    

    
  
Comment on attachment 294095 [details] [diff] [review]
patch v1

r+sr=jst for this. I think for \f and \v we'd probably be best off matching what IE does, and then arguing for making the HTML 5 spec match that as well.

        Attachment #294095 -
        Flags: superreview?(jst)

        Attachment #294095 -
        Flags: superreview+

        Attachment #294095 -
        Flags: review?(jst)

        Attachment #294095 -
        Flags: review+

    
    

    
  
Fix checked into trunk. I filed bug 409436 on figuring out what to do with \f and \v.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+

    
    

    
  


  
There were some whitespace differences between the two branches. I verified that this patch is the same by doing |diff -w 1.9patch thispatch| and noticing that none of the added or removed lines showed up.

        Attachment #294506 -
        Flags: review+

        Attachment #294506 -
        Flags: approval1.8.1.12?
Flags: blocking1.8.1.12? → blocking1.8.1.12+

    
    

    
  
Comment on attachment 294506 [details] [diff] [review]
Patch for the 1.8 branch

approved for 1.8.1.12, a=dveditz for release-drivers

        Attachment #294506 -
        Flags: approval1.8.1.12? → approval1.8.1.12+

    
    

    
  
Fixed on the 1.8 branch.
Keywords: fixed1.8.1.12

    
    

    
  
Verified for branch with Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. Repros with 2.0.0.11 cleanly.
Keywords: fixed1.8.1.12verified1.8.1.12

    
  
Flags: blocking1.8.0.15+

    
    

    
  
Comment on attachment 294506 [details] [diff] [review]
Patch for the 1.8 branch

a=asac for 1.8.0.15

(unmodified distro patch)

        Attachment #294506 -
        Flags: approval1.8.0.15+

    
    

    
  
MOZILLA_1_8_0_BRANCH:

Checking in parser/htmlparser/src/nsHTMLTokens.cpp;
/cvsroot/mozilla/parser/htmlparser/src/nsHTMLTokens.cpp,v  <--  nsHTMLTokens.cpp
new revision: 3.273.10.2; previous revision: 3.273.10.1
done
Checking in parser/htmlparser/src/nsScanner.cpp;
/cvsroot/mozilla/parser/htmlparser/src/nsScanner.cpp,v  <--  nsScanner.cpp
new revision: 3.145.12.2; previous revision: 3.145.12.1
done
Keywords: fixed1.8.0.15
Group: security
Flags: in-testsuite?

    
    

    
  
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9pre) Gecko/2008050621 Firefox/3.0pre and the testcase

--> Verified fixed
Status: RESOLVED → VERIFIED
Keywords: testcase

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: