New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 783618 link

Starred by 4 users
Status: Fixed
Owner:
tsepez@chromium.org
Closed: Nov 2017
Cc:
mkwst@chromium.org
tsepez@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug


Show other hotlists

Hotlists containing this issue:
EnamelAndFriendsFixIt


Sign in to add a comment

XSSAuditor should filter "url" in IsURLParameter

Reported by wanghui0...@gmail.com, Nov 10 2017 
UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce the problem:
1. open http://t.mhz.pw/game/xss/xss.php?xss=%3Cobject%3E%3Cparam%20name=%27url%27%20value=%27http://www.sogo.com%27%3E%3C/param%3E%3C/object%3E
2. open this url, shouldn't show the content of "www.sogo.com"

What is the expected behavior?
shouldn't show the content of "www.sogo.com"

What went wrong?
bool HTMLParamElement::IsURLParameter(const String& name) {
  return DeprecatedEqualIgnoringCase(name, "data") ||
         DeprecatedEqualIgnoringCase(name, "movie") ||
         DeprecatedEqualIgnoringCase(name, "src");
}

"url" should be filted too, because the object will get url from "'data','movie','src','url'".

    // HTML5 says that an object resource's URL is specified by the object's
    // data attribute, not by a param element. However, for compatibility, allow
    // the resource's URL to be given by a param named "src", "movie", "code" or
    // "url" if we know that resource points to a plugin.
    if (url_.IsEmpty() && (DeprecatedEqualIgnoringCase(name, "src") ||
                           DeprecatedEqualIgnoringCase(name, "movie") ||
                           DeprecatedEqualIgnoringCase(name, "code") ||
                           DeprecatedEqualIgnoringCase(name, "url"))) {
      url_ = StripLeadingAndTrailingHTMLSpaces(p->Value());
    }

Did this work before? N/A 

Chrome version: 61.0.3163.100  Channel: n/a
OS Version: 61.0.3163.100
Flash Version: non

Comment 1 by elawrence@chromium.org, Nov 10 2017

Components: Blink>SecurityFeature>XSSAuditor
Labels: -Type-Bug-Security -Restrict-View-SecurityTeam Type-Bug
Summary: XSSAuditor should filter "url" in IsURLParameter (was: XSSAuditor ParamToken Filter)
Thanks for the report.
https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Are-XSS-filter-bypasses-considered-security-bugs

Comment 2 by tsepez@chromium.org, Nov 10 2017

Owner: tsepez@chromium.org
Status: Assigned (was: Unconfirmed)

Comment 4 by est...@chromium.org, Nov 10 2017

Labels: Hotlist-EnamelAndFriendsFixIt

Comment 5 by tsepez@chromium.org, Nov 10 2017

Cc: tsepez@chromium.org
 Issue 676992  has been merged into this issue.
Project Member

Comment 6 by bugdroid1@chromium.org, Nov 13 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8e0a1f6fb882612ed184d114dac94daca2b856a8

commit 8e0a1f6fb882612ed184d114dac94daca2b856a8
Author: Tom Sepez <tsepez@chromium.org>
Date: Mon Nov 13 19:34:02 2017

Unify IsURLParameter() logic between HTML{Object,Param}Element.cpp

Add missing case of "url" param name that triggered XSSAuditor bypass.
Make one corresponding change to keep behaviour as stable as possible.

Bug:  783618 
Change-Id: Ic74bf385d3604e6ff71221ae4104e88c2201e118
Reviewed-on: https://chromium-review.googlesource.com/764113
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Charlie Harrison <csharrison@chromium.org>
Commit-Queue: Tom Sepez <tsepez@chromium.org>
Cr-Commit-Position: refs/heads/master@{#516003}
[add] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-param-code-expected.txt
[add] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-param-code.html
[add] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-param-data-expected.txt
[add] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-param-data.html
[rename] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-param-movie-expected.txt
[rename] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-param-movie.html
[add] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-param-src-expected.txt
[add] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-param-src.html
[add] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-param-url-expected.txt
[add] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/LayoutTests/http/tests/security/xssAuditor/object-tag-param-url.html
[modify] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/Source/core/html/HTMLObjectElement.cpp
[modify] https://crrev.com/8e0a1f6fb882612ed184d114dac94daca2b856a8/third_party/WebKit/Source/core/html/HTMLParamElement.cpp

Comment 7 by tsepez@chromium.org, Nov 13 2017

Status: Fixed (was: Assigned)

Sign in to add a comment