Title: [97036] trunk/Tools
Revision
97036
Author
[email protected]
Date
2011-10-09 19:29:02 -0700 (Sun, 09 Oct 2011)

Log Message

Remove "near miss" XSS vulnerabilities in garden-o-matic
https://bugs.webkit.org/show_bug.cgi?id=69708

Reviewed by David Levin.

Collin Jackson did a security audit of garden-o-matic.  He hasn't found
any actual vulnerabilities yet, but he did identify a couple "near
misses" where a slight change in garden-o-matic could lead to a
vulnerability.  This patch removes those potential issues.

* BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/Bugzilla.js:
* BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/ui.js:

Modified Paths

Diff

Modified: trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/Bugzilla.js (97035 => 97036)


--- trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/Bugzilla.js	2011-10-10 01:15:21 UTC (rev 97035)
+++ trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/Bugzilla.js	2011-10-10 02:29:02 UTC (rev 97036)
@@ -34,6 +34,19 @@
     REOPENED: true,
 };
 
+function createDetachedFragment(htmlFragment)
+{
+    // Step 1: Create a detached Document to perform the parsing.
+    var detachedDocument = document.implementation.createHTMLDocument();
+
+    // Step 2: Create a detached Element associated with the detached Document.
+    var container = detachedDocument.createElement('div');
+
+    // Step 3: Pull the trigger.
+    container.innerHTML = htmlFragment;
+    return container;
+}
+
 var g_searchCache = new base.AsynchronousCache(function(query, callback) {
     var url = "" + '/buglist.cgi?' + $.param({
         ctype: 'rss',
@@ -44,10 +57,9 @@
     net.get(url, function(responseXML) {
         var entries = responseXML.getElementsByTagName('entry');
         var results = Array.prototype.map.call(entries, function(entry) {
-            var container = document.createElement('div');
-            // FIXME: Is this an XSS risk?
-            container.innerHTML = entry.getElementsByTagName('summary')[0].textContent;
-            var statusRow = container.querySelector('tr.bz_feed_bug_status');
+            var htmlFragment = entry.getElementsByTagName('summary')[0].textContent;
+            var fragment = createDetachedFragment(htmlFragment);
+            var statusRow = fragment.querySelector('tr.bz_feed_bug_status');
             return {
                 title: entry.getElementsByTagName('title')[0].textContent,
                 url: entry.getElementsByTagName('id')[0].textContent,

Modified: trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/ui.js (97035 => 97036)


--- trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/ui.js	2011-10-10 01:15:21 UTC (rev 97035)
+++ trunk/Tools/BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/ui.js	2011-10-10 02:29:02 UTC (rev 97036)
@@ -76,7 +76,14 @@
     },
     tabNamed: function(tabName)
     {
-        return $('#' + tabName, this)[0];
+        tab = document.getElementById(tabName);
+        // We perform this sanity check below to make sure getElementById
+        // hasn't given us a node in some other unrelated part of the document.
+        // that shouldn't happen normally, but it could happen if an attacker
+        // has somehow sneakily added a node to our document.
+        if (tab.parentNode != this)
+            return null;
+        return tab;
     },
     summary: function()
     {
@@ -130,9 +137,9 @@
         document.body.appendChild(this);
         $(this).dialog({
             resizable: false,
-            title: title,
             width: $(window).width() * 0.80,  // FIXME: We should have CSS do this work for us.
         });
+        $('.ui-dialog-title', this.parentNode).text(title);
         $(this).bind('dialogclose', function() {
             $(this).detach();
         }.bind(this));

Modified: trunk/Tools/ChangeLog (97035 => 97036)


--- trunk/Tools/ChangeLog	2011-10-10 01:15:21 UTC (rev 97035)
+++ trunk/Tools/ChangeLog	2011-10-10 02:29:02 UTC (rev 97036)
@@ -1,3 +1,18 @@
+2011-10-09  Adam Barth  <[email protected]>
+
+        Remove "near miss" XSS vulnerabilities in garden-o-matic
+        https://bugs.webkit.org/show_bug.cgi?id=69708
+
+        Reviewed by David Levin.
+
+        Collin Jackson did a security audit of garden-o-matic.  He hasn't found
+        any actual vulnerabilities yet, but he did identify a couple "near
+        misses" where a slight change in garden-o-matic could lead to a
+        vulnerability.  This patch removes those potential issues.
+
+        * BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/Bugzilla.js:
+        * BuildSlaveSupport/build.webkit.org-config/public_html/TestFailures/scripts/ui.js:
+
 2011-10-07  Adam Barth  <[email protected]>
 
         Add a Content-Security-Policy to garden-o-matic
_______________________________________________
webkit-changes mailing list
[email protected]
http://lists.webkit.org/mailman/listinfo.cgi/webkit-changes

Reply via email to