1.93b: Major fix to URL XSS detection logic

ChangeLog

@@ -1,3 +1,8 @@
+Version 1.93b:
+--------------
+
+  - Major fix to URL XSS detection logic.
+
 Version 1.92b:
 --------------
 

Makefile

@@ -20,7 +20,7 @@
 #
 
 PROGNAME   = skipfish
-VERSION    = 1.92b
+VERSION    = 1.93b
 
 OBJFILES   = http_client.c database.c crawler.c analysis.c report.c
 INCFILES   = alloc-inl.h string-inl.h debug.h types.h http_client.h \

analysis.c

@@ -122,10 +122,10 @@ static void test_add_link(u8* str, struct http_request* ref,
 
   /* Don't add injected links. */
 
-  if (!strncasecmp((char*)str, "skipfish:", 10) ||
+  if (!strncasecmp((char*)str, "skipfish:", 9) ||
-      !strncasecmp((char*)str, "//skipfish.invalid/", 20) ||
+      !strncasecmp((char*)str, "//skipfish.invalid/", 19) ||
       inl_strcasestr(str, (u8*) "/" BOGUS_FILE) ||
-      !strncasecmp((char*)str, "http://skipfish.invalid/", 25)) return;
+      !strncasecmp((char*)str, "http://skipfish.invalid/", 24)) return;
 
   /* Don't add links that look like they came from JS code with fragmented HTML
      snippets, etc. */
@@ -1275,9 +1275,9 @@ static void check_js_xss(struct http_request* req, struct http_response* res,
           !strncmp((char*)last_word, "url", 3) ||
           !strncmp((char*)last_word, "href", 4) ||
           !strncmp((char*)last_word, "write", 5)) &&
-          (!strncasecmp((char*)text + 1,"//skipfish.invalid/", 20) ||
+          (!strncasecmp((char*)text + 1,"//skipfish.invalid/", 19) ||
-          !strncasecmp((char*)text + 1,"http://skipfish.invalid/", 25) ||
+          !strncasecmp((char*)text + 1,"http://skipfish.invalid/", 24) ||
-          !strncasecmp((char*)text + 1,"skipfish:", 10)))
+          !strncasecmp((char*)text + 1,"skipfish:", 9)))
         problem(PROB_URL_XSS, req, res,
           (u8*)"injected URL in JS/CSS code", req->pivot, 0);
 
@@ -1644,7 +1644,7 @@ void content_checks(struct http_request* req, struct http_response* res) {
              strcasecmp((char*)tag_name, "input")) ||
             !strcasecmp((char*)param_name, "codebase")) && clean_val) {
 
-          if (!strncasecmp((char*)clean_val, "skipfish://", 12))
+          if (!strncasecmp((char*)clean_val, "skipfish://", 11))
             problem(PROB_URL_XSS, req, res, tag_name, req->pivot, 0);
 
           /* A bit hairy, but in essence, links to attacker-supplied
@@ -1652,8 +1652,8 @@ void content_checks(struct http_request* req, struct http_response* res) {
              are sorta noteworthy, depending on context; and A links
              are usually of little relevance. */
 
-          if (!strncasecmp((char*)clean_val, "http://skipfish.invalid/", 25) ||
+          if (!strncasecmp((char*)clean_val, "http://skipfish.invalid/", 24) ||
-              !strncasecmp((char*)clean_val, "//skipfish.invalid/", 20)) {
+              !strncasecmp((char*)clean_val, "//skipfish.invalid/", 19)) {
 
             if (!strcasecmp((char*)tag_name, "script") ||
                 !strcasecmp((char*)tag_name, "link"))
@@ -1679,14 +1679,14 @@ void content_checks(struct http_request* req, struct http_response* res) {
             url += 4;
             if (*url == '\'' || *url == '"') { url++; semi_safe = 1; }
 
-            if (!strncasecmp((char*)url, "http://skipfish.invalid/", 25) ||
+            if (!strncasecmp((char*)url, "http://skipfish.invalid/", 24) ||
-                !strncasecmp((char*)url, "//skipfish.invalid/", 20))
+                !strncasecmp((char*)url, "//skipfish.invalid/", 19))
               problem(PROB_URL_REDIR, req, res, (u8*)"injected URL in META refresh",
                       req->pivot, 0);
 
             /* Unescaped semicolon in Refresh headers is unsafe with MSIE6. */
 
-           if (!strncasecmp((char*)url, "skipfish://", 12) ||
+           if (!strncasecmp((char*)url, "skipfish://", 11) ||
                (!semi_safe && strchr((char*)url, ';')))
              problem(PROB_URL_XSS, req, res, (u8*)"injected URL in META refresh",
                      req->pivot, 0);

crawler.c

@@ -980,12 +980,12 @@ static u8 inject_check5_callback(struct http_request* req,
 
   if (val) {
 
-    if (!strncasecmp((char*)val, "http://skipfish.invalid/", 25) ||
+    if (!strncasecmp((char*)val, "http://skipfish.invalid/", 24) ||
-        !strncasecmp((char*)val, "//skipfish.invalid/", 21))
+        !strncasecmp((char*)val, "//skipfish.invalid/", 19))
       problem(PROB_URL_REDIR, req, res, (u8*)"injected URL in 'Location' header",
               req->pivot, 0);
 
-    if (!strncasecmp((char*)val, "skipfish://", 12))
+    if (!strncasecmp((char*)val, "skipfish://", 11))
       problem(PROB_URL_XSS, req, res, (u8*)"injected URL in 'Location' header",
               req->pivot, 0);
 
@@ -998,14 +998,14 @@ static u8 inject_check5_callback(struct http_request* req,
 
     if (*val == '\'' || *val == '"') { val++; semi_safe++; }
 
-    if (!strncasecmp((char*)val, "http://skipfish.invalid/", 25) ||
+    if (!strncasecmp((char*)val, "http://skipfish.invalid/", 24) ||
-        !strncasecmp((char*)val, "//skipfish.invalid/", 20))
+        !strncasecmp((char*)val, "//skipfish.invalid/", 19))
       problem(PROB_URL_REDIR, req, res, (u8*)"injected URL in 'Refresh' header",
               req->pivot, 0);
 
     /* Unescaped semicolon in Refresh headers is unsafe with MSIE6. */
 
-    if (!strncasecmp((char*)val, "skipfish://", 12) ||
+    if (!strncasecmp((char*)val, "skipfish://", 11) ||
         (!semi_safe && strchr((char*)val, ';')))
       problem(PROB_URL_XSS, req, res, (u8*)"injected URL in 'Refresh' header",
               req->pivot, 0);