From db5656f6075a561806bb74450f5a7c559675af79 Mon Sep 17 00:00:00 2001 From: Raymond Hill Date: Tue, 13 Feb 2024 14:35:08 -0500 Subject: [PATCH] Fix potential exfiltration of browsing history by a rogue list author through `csp=` As reported internally to ubo-security by https://github.com/distinctmondaylila One issue is a regression from the rewriting of the static filtering parser in version 1.47.0, specifically the following commit: https://github.com/gorhill/uBlock/commit/8ea3b0f64c The existing regex was no longer suitable to properly detect some usage of `report-xxx` in the rwritten parser. Another issue which predates 1.47.0 is that the regex used for validation was case-sensititive, while the `report-uri` directive can be written using uppercase letters, i.e. `Report-uri`. --- src/js/static-filtering-parser.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/js/static-filtering-parser.js b/src/js/static-filtering-parser.js index 465d9f4e7..ac735dcc4 100644 --- a/src/js/static-filtering-parser.js +++ b/src/js/static-filtering-parser.js @@ -896,7 +896,7 @@ export class AstFilterParser { this.reResponseheaderPattern = /^\^responseheader\(.*\)$/; this.rePatternScriptletJsonArgs = /^\{.*\}$/; this.reGoodRegexToken = /[^\x01%0-9A-Za-z][%0-9A-Za-z]{7,}|[^\x01%0-9A-Za-z][%0-9A-Za-z]{1,6}[^\x01%0-9A-Za-z]/; - this.reBadCSP = /(?:=|;)\s*report-(?:to|uri)\b/; + this.reBadCSP = /(?:^|;)\s*report-(?:to|uri)\b/i; this.reNoopOption = /^_+$/; this.scriptletArgListParser = new ArgListParser(','); }