ready to push to try
authorRiccardo Pelizzi <r.pelizzi@gmail.com>
Sun, 22 Jan 2012 20:07:44 -0500
changeset 36 f1052c847ac42d219f4cc889fbcb652a3927316a
parent 35 754bfb3a981d339571385e2f40c2a7ea8f938ac8
child 37 48dd641008026f951561f7e8d9ad35278f91d556
push id21
push userr.pelizzi@gmail.com
push dateMon, 23 Jan 2012 01:07:56 +0000
ready to push to try
xssfilter
--- a/xssfilter
+++ b/xssfilter
@@ -1939,17 +1939,17 @@ new file mode 100644
 +
 +
 +
 +#endif /* nsXSSFilter_h */
 diff --git a/content/base/src/nsXSSUtils.cpp b/content/base/src/nsXSSUtils.cpp
 new file mode 100644
 --- /dev/null
 +++ b/content/base/src/nsXSSUtils.cpp
-@@ -0,0 +1,1737 @@
+@@ -0,0 +1,1733 @@
 +/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 +/* ***** BEGIN LICENSE BLOCK *****
 + * Version: MPL 1.1/GPL 2.0/LGPL 2.1
 + *
 + * The contents of this file are subject to the Mozilla Public License Version
 + * 1.1 (the "License"); you may not use this file except in compliance with
 + * the License. You may obtain a copy of the License at
 + * http://www.mozilla.org/MPL/
@@ -1993,17 +1993,16 @@ new file mode 100644
 +#include "nsIIOService.h"
 +#include "nsNetUtil.h"
 +#include "nsEscape.h"
 +#include "nsIEffectiveTLDService.h"
 +#include <string.h>
 +#include <wchar.h>
 +#include "math.h"
 +#include "nsGenericHTMLElement.h"
-+#include "nsIDOMNSHTMLElement.h"
 +#include "mozAutoDocUpdate.h"
 +#include "nsIDocument.h"
 +#include "mozilla/dom/Element.h"
 +
 +#include "nsScriptLoader.h"
 +#include "nsHtml5Module.h"
 +
 +using namespace mozilla::dom;
@@ -2279,21 +2278,19 @@ new file mode 100644
 +                                        nsIDOMNode::ELEMENT_NODE);
 +  if (!titleInfo) {
 +    return NS_OK;
 +  }
 +  nsIContent* title = NS_NewHTMLTitleElement(titleInfo.forget());
 +  if (!title) {
 +    return NS_OK;
 +  }
-+  nsCOMPtr<nsIDOMNSHTMLElement> domNSTitle(do_QueryInterface(title));
-+  nsCOMPtr<nsIDOMHTMLElement> domTitle(do_QueryInterface(title));
-+  nsAutoString c;
-+  domNSTitle->SetInnerHTML(aString);
-+  domTitle->GetTextContent(result);
++  nsCOMPtr<nsGenericHTMLElement> elTitle(do_QueryInterface(title));
++  elTitle->SetInnerHTML(aString);
++  title->GetTextContent(result);
 +  return NS_OK;
 +}
 +
 +PRUint32
 +nsXSSUtils::GetHostLimit(nsIURI* aURI)
 +{
 +  nsCAutoString prePath, path;
 +  aURI->GetPrePath(prePath);
@@ -2337,28 +2334,27 @@ new file mode 100644
 +  LOG_XSS("Initialized Statics for XSS Utils");
 +
 +}
 +
 +PRBool
 +nsXSSUtils::FindInlineXSS(const nsAString& aParam, const nsAString& aScript)
 +{
 +  MatchRes mres;
++  // TODO: cut the script to a maximum length
 +  if (aParam.Length() >= aScript.Length()) {
 +    // base case where the attacker injects the whole script. Since
-+    // the tags are stripped, the script ends up being shorter.
-+    nsXSSUtils::P1FastMatchReverse(aParam, Substring(aScript, 0, SCRIPT_LEN),
-+                                   THRESHOLD, mres);
++    // the tags/quotes are stripped, the script ends up being shorter.
++    nsXSSUtils::P1FastMatchReverse(aParam, aScript, THRESHOLD, mres);
 +  } else if (aParam.Length() >= aScript.Length() * (1-THRESHOLD)) {
 +    // if we do not care about partial injections the only possible
-+    // case of |script| > |param| is due to sanitization from the web
-+    // application. in this case, it makes sense to match only if the
-+    // length is close enough.
-+    nsXSSUtils::P1FastMatch(aParam, Substring(aScript, 0, SCRIPT_LEN),
-+                            THRESHOLD, mres);
++    // case of |script| > |param| is due to sanitization increasing
++    // the size of the script (e.g. add slashes). In this case, it
++    // makes sense to match only if the length is close enough.
++    nsXSSUtils::P1FastMatch(aParam, aScript, THRESHOLD, mres);
 +  }
 +  mres.ClearInvalidMatches(THRESHOLD);
 +
 +  for (PRUint32 i = 0; i < mres.elem_.Length(); i++) {
 +    LOG_XSS_2("Match in FindInlineXSS: %d %d\n", mres[i].matchBeg_,
 +              mres[i].matchEnd_);
 +    // check: tainted string must not be at the beginning of the script
 +    if (mres[i].matchBeg_ == 0) {
@@ -4973,17 +4969,17 @@ diff --git a/content/events/src/nsEventL
 +  // 1. xss filter
 +  nsIDocument* doc = nsnull;
 +  nsCOMPtr<nsINode> node = do_QueryInterface(aCurrentTarget);
 +  if (!node) {
 +    PR_LOG(gXssPRLog, PR_LOG_DEBUG,
 +           ("CheckEventForXSS:no node"));
 +    return PR_FALSE;
 +  }
-+  doc = node->GetOwnerDoc();
++  doc = node->GetOwnerDocument();
 +  nsIPrincipal* principal = doc->NodePrincipal();
 +  if (!principal) {
 +    PR_LOG(gXssPRLog, PR_LOG_DEBUG,
 +           ("CheckEventForXSS:no principal"));
 +    return PR_FALSE;
 +  }
 +  nsRefPtr<nsXSSFilter> xss;
 +  nsresult rv = principal->GetXSSFilter(getter_AddRefs(xss));