30241 2009-10-08 17:12:32 -0700 Inconsistent URL encoding/decoding of JavaScript URLs. 2011-08-19 13:39:15 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All RESOLVED FIXED P2 Normal --- 37641 1 dbates webkit-unassigned abarth ap sam oldest_to_newest 153577 0 40919 dbates 2009-10-08 17:12:32 -0700 Created attachment 40919 Example JavaScript URLs that are URL encoded via FrameLoader::completeURL are not properly decoded before eventually being passed to both the XSSAuditor and ScriptController::evaluate, because the method KURL::decodeURLEscapeSequences is NOT the inverse function of KURL::parse(). In particular, this occurs in FrameLoader::requestFrame: http://trac.webkit.org/browser/trunk/WebCore/loader/FrameLoader.cpp#L348 where the completeURL() is called on |scriptURL| before it is passed to frame->loader()->executeIfJavaScriptURL(). Remarks: The call flow of FrameLoader::completeURL is: FrameLoader::completeURL -> Document::completeURL -> KURL::KURL(const KURL& base, const String& relative, ...) -> KURL::init - > KURL::parse The issue is that KURL::parse uses the method KURL::appendEscapingBadChars, which as its name implies escapes only bad characters. One such bad character is the space character. Consider the JavaScript URL, "javascript: '%0A'" (*). Calling KURL::parse on this (directly or implicitly via one of the functions in the above call chain) will result in a KURL object that represents the URL, "javascript:%20'%46'" (**). Notice, this result differs from the fully URL encoded result of "javascript:%20%27%2546%27". Decoding the string form of (**) using KURL::decodeURLEscapeSequences produces the result: "javascript: 'F'". Clearly, this is not the inverse of the (**). 153580 1 dbates 2009-10-08 17:21:22 -0700 (*) should be "javascript: '%46'" (In reply to comment #0) > Created an attachment (id=40919) [details] > Example > > JavaScript URLs that are URL encoded via FrameLoader::completeURL are not > properly decoded before eventually being passed to both the XSSAuditor and > ScriptController::evaluate, because the method KURL::decodeURLEscapeSequences > is NOT the inverse function of KURL::parse(). > > In particular, this occurs in FrameLoader::requestFrame: > http://trac.webkit.org/browser/trunk/WebCore/loader/FrameLoader.cpp#L348 > where the completeURL() is called on |scriptURL| before it is passed to > frame->loader()->executeIfJavaScriptURL(). > > Remarks: > The call flow of FrameLoader::completeURL is: > FrameLoader::completeURL -> Document::completeURL -> KURL::KURL(const KURL& > base, const String& relative, ...) -> KURL::init - > KURL::parse > > The issue is that KURL::parse uses the method KURL::appendEscapingBadChars, > which as its name implies escapes only bad characters. > > One such bad character is the space character. Consider the JavaScript URL, > "javascript: '%0A'" (*). Calling KURL::parse on this (directly or implicitly > via one of the functions in the above call chain) will result in a KURL object > that represents the URL, "javascript:%20'%46'" (**). Notice, this result > differs from the fully URL encoded result of "javascript:%20%27%2546%27". > Decoding the string form of (**) using KURL::decodeURLEscapeSequences produces > the result: "javascript: 'F'". Clearly, this is not the inverse of the (**). 454040 2 abarth 2011-08-19 13:39:15 -0700 This bug is fixed in the new architecture. 40919 2009-10-08 17:12:32 -0700 2009-10-08 17:12:32 -0700 Example KURL-parse-bug.html text/html 698 dbates PGh0bWw+CjxoZWFkPgo8L2hlYWQ+Cjxib2R5Pgo8cD5UaGlzIHRlc3QgY2FuIGJlIHVzZWQgdG8g ZGVtb25zdHJhdGUgdGhlIFVSTCBlbmNvZGluZyBidWcgaW4gS1VSTDo6cGFyc2UuIE1ha2Ugc3Vy ZSB0aGUgc3RhdHVzIGJhciBvZiB0aGlzIGJyb3dzZXIgd2luZG93IGlzIHZpc2libGUuIElmIG5v dCwgc2VsZWN0IFZpZXctPlNob3cgU3RhdHVzIEJhci48L3A+CjxhIGhyZWY9ImphdmFzY3JpcHQ6 YWxlcnQoJ2EgJTI1NDYnKSI+SG92ZXIgb3ZlciB0aGlzIGxpbmsgYW5kIGxvb2sgYXQgdGhlIHN0 YXR1cyBiYXI8L2E+CjxwPigqKSBZb3Ugd2lsbCBzZWUgdGhlIHRleHQ6IFJ1biBzY3JpcHQgJnF1 b3Q7YWxlcnQoJ2ElMjAlMjU0NicpJnF1b3Q7PC9wPgo8cD5WaWV3IHRoZSBzb3VyY2UgY29kZSBv ZiB0aGlzIHBhZ2UsIGxvb2tpbmcgYXQgdGhlIHRoZSBocmVmIHByb3BlcnR5IG9mIHRoZSBhYm92 ZSBsaW5rIGl0IHJlYWRzOiBqYXZhc2NyaXB0OmFsZXJ0KCdhICUyNTQ2Jyk8L3A+CjxwPk5vdGlj ZSB0aGUgc3BhY2UgY2hhcmFjdGVyIChsb2NhdGVkIGJldHdlZW4gdGhlICdhJyBhbmQgdGhlICcl JyBjaGFyYWN0ZXIgaW4gdGhlIGhyZWYgcHJvcGVydHkgc3RyaW5nKSBpcyBlbmNvZGVkIHRvICUy MCBpbiAoKikuIEJ1dCwgdGhlICclMjUnIGlzIE5PVCBlbmNvZGVkIHRvICclMjUyNScuPC9wPgo8 L2JvZHk+CjwvaHRtbD4=