From 557d41ba23781cd53dedc4d2e40c5af220e8b966 Mon Sep 17 00:00:00 2001
From: Anastasios Stasinopoulos <an.stasinopoulos@gmail.com>
Date: Sun, 26 Oct 2014 14:13:05 +0200
Subject: [PATCH] Added extra security checks on XSSAuditor.cpp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added extra security checks, to protect xss auditor against "PHP array injection" and "PHP array-like injection" attacks. The results of this work have been presented in the paper entitled: Anastasios Stasinopoulos, Christoforos Ntantogian and Christos Xenakis “Bypassing XSS Auditor: Taking advantage of bad-written PHP code”, IEEE International Symposium on Signal Processing and Information Technology (ISSPIT 2014), December 15-17, 2014 - Jaypee Institute of Information Technology, Noida, India
---
 Source/WebCore/html/parser/XSSAuditor.cpp | 63 ++++++++++++++++++++++-
 1 file changed, 62 insertions(+), 1 deletion(-)

diff --git a/Source/WebCore/html/parser/XSSAuditor.cpp b/Source/WebCore/html/parser/XSSAuditor.cpp
index cd909c136a108..94dfd6b5cb0ba 100644
--- a/Source/WebCore/html/parser/XSSAuditor.cpp
+++ b/Source/WebCore/html/parser/XSSAuditor.cpp
@@ -112,6 +112,31 @@ static bool startsOpeningScriptTagAt(const String& string, size_t start)
         && WTF::toASCIILowerUnchecked(string[start + 6]) == 't';
 }
 
+static bool startsSingleQuoteCommentAt(const String& string, size_t start)
+{
+    return (start + 1 < string.length() && string[start] == '\'');
+}
+
+static bool startsDoubleQuoteCommentAt(const String& string, size_t start)
+{
+    return (start + 1 < string.length() && string[start] == '"');
+}
+
+static bool startsMultiParameterAt(const String& string, size_t start)
+{
+    return (start + 1 < string.length() && string[start] == '&');
+}
+
+static bool startsFunctionParenthesisAt(const String& string, size_t start)
+{
+    return (start + 1 < string.length() && string[start] == '(');
+}
+
+static bool startsArraySquareBracketAt(const String& string, size_t start)
+{
+    return (start + 1 < string.length() && string[start] == '[');
+}
+
 // If other files need this, we should move this to HTMLParserIdioms.h
 template<size_t inlineCapacity>
 bool threadSafeMatch(const Vector<UChar, inlineCapacity>& vector, const QualifiedName& qname)
@@ -656,6 +681,36 @@ String XSSAuditor::decodedSnippetForJavaScript(const FilterTokenRequest& request
                 startPosition = foundPosition + 2;
             else
                 startPosition = endPosition;
+
+        } else if (startsSingleQuoteCommentAt(string, startPosition)) {
+            if (startPosition + 2 < endPosition && (foundPosition = string.find("'", startPosition + 2)) != notFound)
+                startPosition = foundPosition + 2;
+            else
+                startPosition = endPosition;
+	    
+        } else if (startsDoubleQuoteCommentAt(string, startPosition)) {
+            if (startPosition + 2 < endPosition && (foundPosition = string.find('"', startPosition + 2)) != notFound)
+                startPosition = foundPosition + 2;
+            else
+                startPosition = endPosition;
+	    
+        } else if (startsMultiParameterAt(string, startPosition)) {
+            if (startPosition + 2 < endPosition && (foundPosition = string.find("=", startPosition + 2)) != notFound)
+                startPosition = foundPosition + 2;
+            else
+                startPosition = endPosition;
+	    
+        } else if (startsFunctionParenthesisAt(string, startPosition)) {
+            if (startPosition + 2 < endPosition && (foundPosition = string.find(")", startPosition + 2)) != notFound)
+                startPosition = foundPosition + 2;
+            else
+                startPosition = endPosition;
+	    
+        } else if (startsArraySquareBracketAt(string, startPosition)) {
+            if (startPosition + 2 < endPosition && (foundPosition = string.find("]", startPosition + 2)) != notFound)
+                startPosition = foundPosition + 2;
+            else
+                startPosition = endPosition;
         } else
             break;
     }
@@ -668,7 +723,13 @@ String XSSAuditor::decodedSnippetForJavaScript(const FilterTokenRequest& request
         lastNonSpacePosition = notFound;
         for (foundPosition = startPosition; foundPosition < endPosition; foundPosition++) {
             if (!request.shouldAllowCDATA) {
-                if (startsSingleLineCommentAt(string, foundPosition) || startsMultiLineCommentAt(string, foundPosition)) {
+                if (startsSingleLineCommentAt(string, foundPosition)||
+			        startsMultiLineCommentAt(string, foundPosition)||
+			        startsSingleQuoteCommentAt(string, foundPosition)||
+			        startsDoubleQuoteCommentAt(string, foundPosition)||
+			        startsMultiParameterAt(string, foundPosition)||
+			        startsFunctionParenthesisAt(string, foundPosition)||
+		            startsArraySquareBracketAt(string, foundPosition)) {
                     foundPosition += 2;
                     break;
                 }