rpms/kdelibs/F-11 kdelibs-4.3.3-oCERT-2009-015-xmlhttprequest.patch, NONE, 1.1 kdelibs.spec, 1.498, 1.499
Lukas Tinkl
ltinkl at fedoraproject.org
Mon Nov 2 16:10:39 UTC 2009
Author: ltinkl
Update of /cvs/extras/rpms/kdelibs/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv27837/F-11
Modified Files:
kdelibs.spec
Added Files:
kdelibs-4.3.3-oCERT-2009-015-xmlhttprequest.patch
Log Message:
fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015)
kdelibs-4.3.3-oCERT-2009-015-xmlhttprequest.patch:
xmlhttprequest.cpp | 43 ++++++++++++++++++++++---------------------
1 file changed, 22 insertions(+), 21 deletions(-)
--- NEW FILE kdelibs-4.3.3-oCERT-2009-015-xmlhttprequest.patch ---
Index: khtml/ecma/xmlhttprequest.cpp
===================================================================
--- khtml/ecma/xmlhttprequest.cpp (revision 1035538)
+++ khtml/ecma/xmlhttprequest.cpp (revision 1035539)
@@ -49,7 +49,7 @@
using namespace KJS;
using namespace DOM;
-//
+//
////////////////////// XMLHttpRequest Object ////////////////////////
/* Source for XMLHttpRequestProtoTable.
@@ -269,7 +269,7 @@
static bool canSetRequestHeader(const QString& name)
{
static QSet<CaseInsensitiveString> forbiddenHeaders;
-
+
if (forbiddenHeaders.isEmpty()) {
static const char* hdrs[] = {
"accept-charset",
@@ -298,12 +298,12 @@
"transfer-encoding",
"unlock",
"upgrade",
- "via"
+ "via"
};
for (size_t i = 0; i < sizeof(hdrs)/sizeof(char*); ++i)
forbiddenHeaders.insert(CaseInsensitiveString(hdrs[i]));
}
-
+
return !forbiddenHeaders.contains(name);
}
@@ -326,9 +326,9 @@
XMLHttpRequest::~XMLHttpRequest()
{
- if (onLoadListener)
+ if (onLoadListener)
onLoadListener->deref();
- if (onReadyStateChangeListener)
+ if (onReadyStateChangeListener)
onReadyStateChangeListener->deref();
delete qObject;
qObject = 0;
@@ -412,18 +412,19 @@
return;
}
+ const QString protocol = url.protocol().toLower();
+ // Abandon the request when the protocol is other than "http",
+ // instead of blindly doing a KIO::get on other protocols like file:/.
+ if (!protocol.startsWith(QLatin1String("http")) &&
+ !protocol.startsWith(QLatin1String("webdav")))
+ {
+ ec = DOMException::INVALID_ACCESS_ERR;
+ abort();
+ return;
+ }
+
if (method == "post") {
- QString protocol = url.protocol().toLower();
- // Abondon the request when the protocol is other than "http",
- // instead of blindly changing it to a "get" request.
- if (!protocol.startsWith(QLatin1String("http")) &&
- !protocol.startsWith(QLatin1String("webdav")))
- {
- abort();
- return;
- }
-
// FIXME: determine post encoding correctly by looking in headers
// for charset.
QByteArray buf = _body.toUtf8();
@@ -580,7 +581,7 @@
ec = DOMException::INVALID_STATE_ERR;
return jsString("");
}
-
+
// ### test error flag, return jsNull
if (responseHeaders.isEmpty()) {
@@ -809,7 +810,7 @@
setDOMException(exec, ec);
return ret;
}
- case XMLHttpRequest::GetResponseHeader:
+ case XMLHttpRequest::GetResponseHeader:
{
if (args.size() < 1)
return throwError(exec, SyntaxError, "Not enough arguments");
@@ -852,11 +853,11 @@
DOM::NodeImpl* docNode = toNode(args[0]);
if (docNode && docNode->isDocumentNode()) {
DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode);
-
+
try {
body = doc->toString().string();
// FIXME: also need to set content type, including encoding!
-
+
} catch(DOM::DOMException&) {
return throwError(exec, GeneralError, "Exception serializing document");
}
@@ -866,7 +867,7 @@
}
request->send(body, ec);
- setDOMException(exec, ec);
+ setDOMException(exec, ec);
return jsUndefined();
}
case XMLHttpRequest::SetRequestHeader:
Index: kdelibs.spec
===================================================================
RCS file: /cvs/extras/rpms/kdelibs/F-11/kdelibs.spec,v
retrieving revision 1.498
retrieving revision 1.499
diff -u -p -r1.498 -r1.499
--- kdelibs.spec 12 Oct 2009 16:31:15 -0000 1.498
+++ kdelibs.spec 2 Nov 2009 16:10:38 -0000 1.499
@@ -4,7 +4,7 @@
Summary: K Desktop Environment 4 - Libraries
Version: 4.3.2
-Release: 4%{?dist}
+Release: 5%{?dist}
Name: kdelibs
Epoch: 6
@@ -85,6 +85,8 @@ Patch102: kdelibs-4.3.2-kde#1033984.patc
# security fix
Patch200: kdelibs-4.3.1-CVE-2009-2702.patch
+# fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs
+Patch201: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
BuildRequires: qt4-devel >= 4.5.0
# qt4%{_?_isa} isn't provided yet -- Rex
@@ -210,6 +212,7 @@ format for easy browsing.
# security fix
%patch200 -p1 -b .CVE-2009-2702
+%patch201 -p0 -b .oCERT-2009-015-xmlhttprequest
%build
@@ -399,6 +402,9 @@ rm -rf %{buildroot}
%changelog
+* Mon Nov 2 2009 Lukáš Tinkl <ltinkl at redhat.com> - 4.3.2-5
+- fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428
+
* Mon Oct 12 2009 Lukáš Tinkl <ltinkl at redhat.com> - 4.3.2-4
- khtml kpart crasher nr. 2 (rev.1033984)
More information about the scm-commits
mailing list