rpms/qt/F-11 qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch, NONE, 1.1 qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch, NONE, 1.1 qt.spec, 1.296, 1.297
Than Ngo
than at fedoraproject.org
Thu May 6 16:04:28 UTC 2010
Author: than
Update of /cvs/extras/rpms/qt/F-11
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv20736
Modified Files:
qt.spec
Added Files:
qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch
qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch
qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch
Log Message:
- bz#589169, fix multiple flaws in webkit
CVE-2010-0047, CVE-2010-0648, CVE-2010-0656
qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch:
FrameLoader.cpp | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch ---
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp.cve-2010-0047-call-after-free qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp.cve-2010-0047-call-after-free 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp 2010-05-06 12:21:13.852469331 +0200
@@ -1260,9 +1260,11 @@ bool FrameLoader::requestObject(RenderPa
ASSERT(renderer->node()->hasTagName(objectTag) || renderer->node()->hasTagName(embedTag));
HTMLPlugInElement* element = static_cast<HTMLPlugInElement*>(renderer->node());
-
- // FIXME: OK to always make a new frame? When does the old frame get removed?
- return loadSubframe(element, completedURL, frameName, m_outgoingReferrer);
+
+ // If the plug-in element already contains a subframe, requestFrame will re-use it. Otherwise,
+ // it will create a new frame and set it as the RenderPart's widget, causing what was previously
+ // in the widget to be torn down.
+ return requestFrame(element, completedURL, frameName);
}
bool FrameLoader::shouldUsePlugin(const KURL& url, const String& mimeType, bool hasFallback, bool& useFallback)
qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch:
ChangeLog | 90 +++++++++++++++++++++++++++++++++++++++++
css/CSSImportRule.cpp | 17 ++++---
css/CSSImportRule.h | 2
css/CSSStyleSheet.cpp | 12 ++---
css/CSSStyleSheet.h | 32 ++++++++------
css/StyleBase.cpp | 6 +-
css/StyleSheet.cpp | 15 ++++--
css/StyleSheet.h | 23 +++++++---
dom/Document.cpp | 12 ++---
dom/ProcessingInstruction.cpp | 11 ++---
dom/ProcessingInstruction.h | 4 -
dom/StyleElement.cpp | 2
html/HTMLLinkElement.cpp | 10 ++--
html/HTMLLinkElement.h | 2
loader/CachedCSSStyleSheet.cpp | 6 +-
loader/CachedResourceClient.h | 5 +-
loader/CachedXSLStyleSheet.cpp | 5 --
xml/XSLImportRule.cpp | 14 +++---
xml/XSLImportRule.h | 2
xml/XSLStyleSheet.h | 16 +++----
xml/XSLStyleSheetLibxslt.cpp | 12 ++---
xml/XSLStyleSheetQt.cpp | 4 -
xml/XSLTProcessorLibxslt.cpp | 3 -
xml/XSLTProcessorQt.cpp | 4 +
24 files changed, 211 insertions(+), 98 deletions(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch ---
diff -U0 qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog 2010-05-03 15:55:37.703101680 +0200
@@ -0,0 +1,90 @@
+2010-01-20 Adam Barth <abarth at webkit.org>
+
+ Reviewed by Darin Adler.
+
+ Stylesheet href property shows redirected URL unlike other browsers
+ https://bugs.webkit.org/show_bug.cgi?id=33683
+
+ Teach StyleSheet the difference between original and final URLs in
+ redirect chains. Unfortunately, StyleSheet needs to know both of these
+ URLs. The original URL is needed for the href property and the final
+ URL is needed as the baseURL.
+
+ This change required touching a lot of lines of code because we need to
+ plumb this information to the StyleSheet object. I audited all
+ existing clients of href() and setHref() to see whether they wanted the
+ original or final URLs. I then updated the clients (except the JS
+ bindings themselves) to use the correct accessor.
+
+ Test: http/tests/security/stylesheet-href-redirect.html
+
+ * css/CSSImportRule.cpp:
+ (WebCore::CSSImportRule::setCSSStyleSheet):
+ (WebCore::CSSImportRule::insertedIntoParent):
+ * css/CSSImportRule.h:
+ * css/CSSStyleSheet.cpp:
+ (WebCore::CSSStyleSheet::CSSStyleSheet):
+ * css/CSSStyleSheet.h:
+ (WebCore::CSSStyleSheet::create):
+ (WebCore::CSSStyleSheet::createInline): Added a new constructor to deal
+ with "inline" style sheets that don't have a distinct original and
+ final URL.
+ * css/StyleBase.cpp:
+ (WebCore::StyleBase::baseURL): This code wants to use the final URL,
+ not the original URL. Updated it to grab the baseURL directly.
+ * css/StyleSheet.cpp:
+ (WebCore::StyleSheet::StyleSheet):
+ * css/StyleSheet.h:
+ (WebCore::StyleSheet::href):
+ (WebCore::StyleSheet::setBaseURL): This function really just updates
+ the base URL of the style sheet, so I made it more explicit.
+ (WebCore::StyleSheet::putativeBaseURL): We need an accessor for the
+ base URL, but baseURL is already taken.
+ * dom/Document.cpp:
+ (WebCore::Document::updateBaseURL):
+ (WebCore::Document::pageUserSheet):
+ (WebCore::Document::pageGroupUserSheets):
+ (WebCore::Document::elementSheet):
+ (WebCore::Document::mappedElementSheet):
+ * dom/ProcessingInstruction.cpp:
+ (WebCore::ProcessingInstruction::checkStyleSheet):
+ (WebCore::ProcessingInstruction::setCSSStyleSheet):
+ (WebCore::ProcessingInstruction::setXSLStyleSheet):
+ * dom/ProcessingInstruction.h:
+ * dom/StyleElement.cpp:
+ (WebCore::StyleElement::createSheet):
+ * html/HTMLLinkElement.cpp:
+ (WebCore::HTMLLinkElement::setCSSStyleSheet):
+ * html/HTMLLinkElement.h:
+ * loader/CachedCSSStyleSheet.cpp:
+ (WebCore::CachedCSSStyleSheet::didAddClient):
+ (WebCore::CachedCSSStyleSheet::checkNotify): This code now passes both
+ the original and final URL into setCSSStyleSheet so that the style
+ sheet can have both.
+ * loader/CachedResourceClient.h:
+ (WebCore::CachedResourceClient::setCSSStyleSheet):
+ (WebCore::CachedResourceClient::setXSLStyleSheet):
+ * loader/CachedXSLStyleSheet.cpp:
+ (WebCore::CachedXSLStyleSheet::didAddClient):
+ (WebCore::CachedXSLStyleSheet::checkNotify): I don't have any direct
+ evidence that we need to change the XSLStyleSheet behavior, which is
+ why I wasn't able to add a test for the behavior. However, the objects
+ are parallel enough that it seemed like the right thing to do.
+ * xml/XSLImportRule.cpp:
+ (WebCore::XSLImportRule::setXSLStyleSheet):
+ (WebCore::XSLImportRule::loadSheet):
+ * xml/XSLImportRule.h:
+ * xml/XSLStyleSheet.h:
+ (WebCore::XSLStyleSheet::create):
+ (WebCore::XSLStyleSheet::createEmbedded):
+ * xml/XSLStyleSheetLibxslt.cpp:
+ (WebCore::XSLStyleSheet::XSLStyleSheet):
+ (WebCore::XSLStyleSheet::parseString):
+ (WebCore::XSLStyleSheet::loadChildSheets):
+ * xml/XSLStyleSheetQt.cpp:
+ (WebCore::XSLStyleSheet::XSLStyleSheet):
+ * xml/XSLTProcessorLibxslt.cpp:
+ (WebCore::xsltStylesheetPointer):
+ * xml/XSLTProcessorQt.cpp:
+ (WebCore::XSLTProcessor::transformToString):
+
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.652102626 +0200
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp 2010-05-03 16:49:14.631038884 +0200
@@ -55,11 +55,11 @@ CSSImportRule::~CSSImportRule()
m_cachedSheet->removeClient(this);
}
-void CSSImportRule::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
+void CSSImportRule::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
{
if (m_styleSheet)
m_styleSheet->setParent(0);
- m_styleSheet = CSSStyleSheet::create(this, url, charset);
+ m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset);
bool crossOriginCSS = false;
bool validMIMEType = false;
@@ -70,17 +70,17 @@ void CSSImportRule::setCSSStyleSheet(con
String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
m_styleSheet->parseString(sheetText, strict);
- if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
+ if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(baseURL))
crossOriginCSS = true;
if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader())
- m_styleSheet = CSSStyleSheet::create(this, url, charset);
+ m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset);
if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) {
// Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n"));
- if (url.endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) {
+ if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) {
ASSERT(m_styleSheet->length() == 1);
ExceptionCode ec;
m_styleSheet->deleteRule(0, ec);
@@ -109,15 +109,16 @@ void CSSImportRule::insertedIntoParent()
return;
String absHref = m_strHref;
- if (!parentSheet->href().isNull())
+ if (!parentSheet->putativeBaseURL().isNull())
// use parent styleheet's URL as the base URL
- absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string();
+ absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string();
// Check for a cycle in our import chain. If we encounter a stylesheet
// in our parent chain with the same URL, then just bail.
StyleBase* root = this;
for (StyleBase* curr = parent(); curr; curr = curr->parent()) {
- if (curr->isCSSStyleSheet() && absHref == static_cast<CSSStyleSheet*>(curr)->href())
+ // FIXME: This is wrong if the putativeBaseURL was updated via document::updateBaseURL.
+ if (curr->isCSSStyleSheet() && absHref == static_cast<CSSStyleSheet*>(curr)->putativeBaseURL().string())
return;
root = curr;
}
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h 2010-05-03 15:55:37.740976769 +0200
@@ -63,7 +63,7 @@ private:
virtual unsigned short type() const { return IMPORT_RULE; }
// from CachedResourceClient
- virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*);
+ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*);
String m_strHref;
RefPtr<MediaList> m_lstMedia;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.660977242 +0200
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp 2010-05-03 15:55:37.740976769 +0200
@@ -33,8 +33,8 @@
namespace WebCore {
-CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset)
- : StyleSheet(parentSheet, href)
+CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset)
+ : StyleSheet(parentSheet, href, baseURL)
, m_doc(parentSheet ? parentSheet->doc() : 0)
, m_namespaces(0)
, m_charset(charset)
@@ -45,8 +45,8 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe
{
}
-CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const String& charset)
- : StyleSheet(parentNode, href)
+CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, const String& charset)
+ : StyleSheet(parentNode, href, baseURL)
, m_doc(parentNode->document())
, m_namespaces(0)
, m_charset(charset)
@@ -57,8 +57,8 @@ CSSStyleSheet::CSSStyleSheet(Node* paren
{
}
-CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset)
- : StyleSheet(ownerRule, href)
+CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset)
+ : StyleSheet(ownerRule, href, baseURL)
, m_namespaces(0)
, m_charset(charset)
, m_loadCompleted(false)
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.660977242 +0200
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h 2010-05-03 15:55:37.745101706 +0200
@@ -38,27 +38,31 @@ class CSSStyleSheet : public StyleSheet
public:
static PassRefPtr<CSSStyleSheet> create()
{
- return adoptRef(new CSSStyleSheet(static_cast<CSSStyleSheet*>(0), String(), String()));
+ return adoptRef(new CSSStyleSheet(static_cast<CSSStyleSheet*>(0), String(), KURL(), String()));
}
static PassRefPtr<CSSStyleSheet> create(Node* ownerNode)
{
- return adoptRef(new CSSStyleSheet(ownerNode, String(), String()));
+ return adoptRef(new CSSStyleSheet(ownerNode, String(), KURL(), String()));
}
- static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href)
+ static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const KURL& baseURL)
{
- return adoptRef(new CSSStyleSheet(ownerNode, href, String()));
+ return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, String()));
}
- static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const String& charset)
+ static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset)
{
- return adoptRef(new CSSStyleSheet(ownerNode, href, charset));
+ return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, charset));
}
- static PassRefPtr<CSSStyleSheet> create(CSSRule* ownerRule, const String& href, const String& charset)
+ static PassRefPtr<CSSStyleSheet> create(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset)
{
- return adoptRef(new CSSStyleSheet(ownerRule, href, charset));
+ return adoptRef(new CSSStyleSheet(ownerRule, href, baseURL, charset));
+ }
+ static PassRefPtr<CSSStyleSheet> createInline(Node* ownerNode, const KURL& baseURL)
+ {
+ return adoptRef(new CSSStyleSheet(ownerNode, baseURL.string(), baseURL, String()));
}
virtual ~CSSStyleSheet();
-
+
CSSRule* ownerRule() const;
PassRefPtr<CSSRuleList> cssRules(bool omitCharsetRules = false);
unsigned insertRule(const String& rule, unsigned index, ExceptionCode&);
@@ -72,7 +76,7 @@ public:
void addNamespace(CSSParser*, const AtomicString& prefix, const AtomicString& uri);
const AtomicString& determineNamespace(const AtomicString& prefix);
-
+
virtual void styleSheetChanged();
virtual bool parseString(const String&, bool strict = true);
@@ -99,10 +103,10 @@ public:
bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; }
private:
- CSSStyleSheet(Node* ownerNode, const String& href, const String& charset);
- CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset);
- CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset);
-
+ CSSStyleSheet(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset);
+ CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset);
+ CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset);
+
virtual bool isCSSStyleSheet() const { return true; }
virtual String type() const { return "text/css"; }
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:20.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp 2010-05-03 15:55:37.757976382 +0200
@@ -56,9 +56,9 @@ KURL StyleBase::baseURL() const
StyleSheet* sheet = const_cast<StyleBase*>(this)->stylesheet();
if (!sheet)
return KURL();
- if (!sheet->href().isNull())
- return KURL(ParsedURLString, sheet->href());
- if (sheet->parent())
+ if (!sheet->putativeBaseURL().isNull())
+ return sheet->putativeBaseURL();
+ if (sheet->parent())
return sheet->parent()->baseURL();
if (!sheet->ownerNode())
return KURL();
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp 2010-05-03 15:55:37.758976847 +0200
@@ -26,27 +26,30 @@
namespace WebCore {
-StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href)
+StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL)
: StyleList(parentSheet)
, m_parentNode(0)
- , m_strHref(href)
+ , m_href(href)
+ , m_baseURL(baseURL)
, m_disabled(false)
{
}
-StyleSheet::StyleSheet(Node* parentNode, const String& href)
+StyleSheet::StyleSheet(Node* parentNode, const String& href, const KURL& baseURL)
: StyleList(0)
, m_parentNode(parentNode)
- , m_strHref(href)
+ , m_href(href)
+ , m_baseURL(baseURL)
, m_disabled(false)
{
}
-StyleSheet::StyleSheet(StyleBase* owner, const String& href)
+StyleSheet::StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL)
: StyleList(owner)
, m_parentNode(0)
- , m_strHref(href)
+ , m_href(href)
+ , m_baseURL(baseURL)
, m_disabled(false)
{
}
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h 2010-05-03 15:55:37.758976847 +0200
@@ -41,8 +41,18 @@ public:
Node* ownerNode() const { return m_parentNode; }
StyleSheet *parentStyleSheet() const;
- const String& href() const { return m_strHref; }
- void setHref(const String& href) { m_strHref = href; }
+
+ // Note that href is the URL that started the redirect chain that led to
+ // this style sheet. This property probably isn't useful for much except
+ // the JavaScript binding (which needs to use this value for security).
+ const String& href() const { return m_href; }
+
+ void setBaseURL(const KURL& baseURL) { m_baseURL = baseURL; }
+
+ // Notice that this object inherits a baseURL function from StyleBase that
+ // crawls the parent() relation looking for a non-0 putativeBaseURL.
+ const KURL& putativeBaseURL() const { return m_baseURL; }
+
const String& title() const { return m_strTitle; }
void setTitle(const String& s) { m_strTitle = s; }
MediaList* media() const { return m_media.get(); }
@@ -58,15 +68,16 @@ public:
virtual bool parseString(const String&, bool strict = true) = 0;
protected:
- StyleSheet(Node* ownerNode, const String& href);
- StyleSheet(StyleSheet* parentSheet, const String& href);
- StyleSheet(StyleBase* owner, const String& href);
+ StyleSheet(Node* ownerNode, const String& href, const KURL& baseURL);
+ StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL);
+ StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL);
private:
virtual bool isStyleSheet() const { return true; }
Node* m_parentNode;
- String m_strHref;
+ String m_href;
+ KURL m_baseURL;
String m_strTitle;
RefPtr<MediaList> m_media;
bool m_disabled;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp 2010-05-03 15:55:37.760977901 +0200
@@ -1920,9 +1920,9 @@ void Document::updateBaseURL()
m_baseURL = KURL();
if (m_elemSheet)
- m_elemSheet->setHref(m_baseURL.string());
+ m_elemSheet->setBaseURL(m_baseURL);
if (m_mappedElementSheet)
- m_mappedElementSheet->setHref(m_baseURL.string());
+ m_mappedElementSheet->setBaseURL(m_baseURL);
}
String Document::userAgent(const KURL& url) const
@@ -1944,7 +1944,7 @@ CSSStyleSheet* Document::pageUserSheet()
return 0;
// Parse the sheet and cache it.
- m_pageUserSheet = CSSStyleSheet::create(this, settings()->userStyleSheetLocation());
+ m_pageUserSheet = CSSStyleSheet::createInline(this, settings()->userStyleSheetLocation());
m_pageUserSheet->setIsUserStyleSheet(true);
m_pageUserSheet->parseString(userSheetText, !inCompatMode());
return m_pageUserSheet.get();
@@ -1979,7 +1979,7 @@ const Vector<RefPtr<CSSStyleSheet> >* Do
const UserStyleSheet* sheet = sheets->at(i).get();
if (!UserContentURLPattern::matchesPatterns(url(), sheet->whitelist(), sheet->blacklist()))
continue;
- RefPtr<CSSStyleSheet> parsedSheet = CSSStyleSheet::create(const_cast<Document*>(this), sheet->url());
+ RefPtr<CSSStyleSheet> parsedSheet = CSSStyleSheet::createInline(const_cast<Document*>(this), sheet->url());
parsedSheet->setIsUserStyleSheet(true);
parsedSheet->parseString(sheet->source(), !inCompatMode());
if (!m_pageGroupUserSheets)
@@ -2001,14 +2001,14 @@ void Document::clearPageGroupUserSheets(
CSSStyleSheet* Document::elementSheet()
{
if (!m_elemSheet)
- m_elemSheet = CSSStyleSheet::create(this, m_baseURL.string());
+ m_elemSheet = CSSStyleSheet::createInline(this, m_baseURL);
return m_elemSheet.get();
}
CSSStyleSheet* Document::mappedElementSheet()
{
if (!m_mappedElementSheet)
- m_mappedElementSheet = CSSStyleSheet::create(this, m_baseURL.string());
+ m_mappedElementSheet = CSSStyleSheet::createInline(this, m_baseURL);
return m_mappedElementSheet.get();
}
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp 2010-05-03 15:55:37.761977599 +0200
@@ -138,7 +138,8 @@ void ProcessingInstruction::checkStyleSh
// We need to make a synthetic XSLStyleSheet that is embedded. It needs to be able
// to kick off import/include loads that can hang off some parent sheet.
if (m_isXSL) {
- m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref);
+ KURL baseURL = KURL(ParsedURLString, m_localHref);
+ m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref, baseURL);
m_loading = false;
}
#endif
@@ -196,12 +197,12 @@ bool ProcessingInstruction::sheetLoaded(
return false;
}
-void ProcessingInstruction::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
+void ProcessingInstruction::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
{
#if ENABLE(XSLT)
ASSERT(!m_isXSL);
#endif
- RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, url, charset);
+ RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, href, baseURL, charset);
m_sheet = newSheet;
// We don't need the cross-origin security check here because we are
// getting the sheet text in "strict" mode. This enforces a valid CSS MIME
@@ -213,10 +214,10 @@ void ProcessingInstruction::setCSSStyleS
}
#if ENABLE(XSLT)
-void ProcessingInstruction::setXSLStyleSheet(const String& url, const String& sheet)
+void ProcessingInstruction::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet)
{
ASSERT(m_isXSL);
- m_sheet = XSLStyleSheet::create(this, url);
+ m_sheet = XSLStyleSheet::create(this, href, baseURL);
parseStyleSheet(sheet);
}
#endif
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h 2010-05-03 15:55:37.761977599 +0200
@@ -68,9 +68,9 @@ private:
virtual void removedFromDocument();
void checkStyleSheet();
- virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*);
+ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*);
#if ENABLE(XSLT)
- virtual void setXSLStyleSheet(const String& url, const String& sheet);
+ virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet);
#endif
bool isLoading() const;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp 2010-05-03 15:55:37.762976937 +0200
@@ -103,7 +103,7 @@ void StyleElement::createSheet(Element*
if (screenEval.eval(mediaList.get()) || printEval.eval(mediaList.get())) {
document->addPendingSheet();
setLoading(true);
- m_sheet = CSSStyleSheet::create(e, String(), document->inputEncoding());
+ m_sheet = CSSStyleSheet::create(e, String(), KURL(), document->inputEncoding());
m_sheet->parseString(text, !document->inCompatMode());
m_sheet->setMedia(mediaList.get());
m_sheet->setTitle(e->title());
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp 2010-05-03 17:02:45.528101154 +0200
@@ -253,9 +253,9 @@ void HTMLLinkElement::finishParsingChild
HTMLElement::finishParsingChildren();
}
-void HTMLLinkElement::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
+void HTMLLinkElement::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
{
- m_sheet = CSSStyleSheet::create(this, url, charset);
+ m_sheet = CSSStyleSheet::create(this, href, baseURL, charset);
bool strictParsing = !document()->inCompatMode();
bool enforceMIMEType = strictParsing;
@@ -275,11 +275,11 @@ void HTMLLinkElement::setCSSStyleSheet(c
// valid CSS rule.
// This prevents an attacker playing games by injecting CSS strings into
// HTML, XML, JSON, etc. etc.
- if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
+ if (!document()->securityOrigin()->canRequest(baseURL))
crossOriginCSS = true;
if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader())
- m_sheet = CSSStyleSheet::create(this, url, charset);
+ m_sheet = CSSStyleSheet::create(this, href, baseURL, charset);
if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) {
// Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
@@ -287,7 +287,7 @@ void HTMLLinkElement::setCSSStyleSheet(c
DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n"));
// There are two variants of KHTMLFixes.css. One is equal to mediaWikiKHTMLFixesStyleSheet,
// while the other lacks the second trailing newline.
- if (url.endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText)
+ if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText)
&& sheetText.length() >= mediaWikiKHTMLFixesStyleSheet.length() - 1) {
ASSERT(m_sheet->length() == 1);
ExceptionCode ec;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h 2010-05-03 15:55:37.773083096 +0200
@@ -79,7 +79,7 @@ public:
virtual void removedFromDocument();
// from CachedResourceClient
- virtual void setCSSStyleSheet(const String &url, const String& charset, const CachedCSSStyleSheet* sheet);
+ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet);
bool isLoading() const;
virtual bool sheetLoaded();
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp 2010-05-03 15:55:37.774976529 +0200
@@ -52,9 +52,9 @@ CachedCSSStyleSheet::~CachedCSSStyleShee
void CachedCSSStyleSheet::didAddClient(CachedResourceClient *c)
{
if (!m_loading)
- c->setCSSStyleSheet(m_url, m_decoder->encoding().name(), this);
+ c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this);
}
-
+
void CachedCSSStyleSheet::allClientsRemoved()
{
if (isSafeToMakePurgeable())
@@ -112,7 +112,7 @@ void CachedCSSStyleSheet::checkNotify()
CachedResourceClientWalker w(m_clients);
while (CachedResourceClient *c = w.next())
- c->setCSSStyleSheet(m_response.url().string(), m_decoder->encoding().name(), this);
+ c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this);
}
void CachedCSSStyleSheet::error()
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h 2010-05-03 15:55:37.775976911 +0200
@@ -42,6 +42,7 @@ namespace WebCore {
class String;
class Image;
class IntRect;
+ class KURL;
/**
* @internal
@@ -65,8 +66,8 @@ namespace WebCore {
// e.g., in the b/f cache or in a background tab).
virtual bool willRenderImage(CachedImage*) { return false; }
- virtual void setCSSStyleSheet(const String& /*URL*/, const String& /*charset*/, const CachedCSSStyleSheet*) { }
- virtual void setXSLStyleSheet(const String& /*URL*/, const String& /*sheet*/) { }
+ virtual void setCSSStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* charset */, const CachedCSSStyleSheet*) { }
+ virtual void setXSLStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* sheet */) { }
virtual void fontLoaded(CachedFont*) {};
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp 2010-05-03 15:55:37.789038977 +0200
@@ -48,7 +48,7 @@ CachedXSLStyleSheet::CachedXSLStyleSheet
void CachedXSLStyleSheet::didAddClient(CachedResourceClient* c)
{
if (!m_loading)
- c->setXSLStyleSheet(m_url, m_sheet);
+ c->setXSLStyleSheet(m_url, m_response.url(), m_sheet);
}
void CachedXSLStyleSheet::setEncoding(const String& chs)
@@ -83,10 +83,9 @@ void CachedXSLStyleSheet::checkNotify()
CachedResourceClientWalker w(m_clients);
while (CachedResourceClient *c = w.next())
- c->setXSLStyleSheet(m_url, m_sheet);
+ c->setXSLStyleSheet(m_url, m_response.url(), m_sheet);
}
-
void CachedXSLStyleSheet::error()
{
m_loading = false;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp 2010-05-03 15:55:37.789038977 +0200
@@ -52,13 +52,13 @@ XSLStyleSheet* XSLImportRule::parentStyl
return (parent() && parent()->isXSLStyleSheet()) ? static_cast<XSLStyleSheet*>(parent()) : 0;
}
-void XSLImportRule::setXSLStyleSheet(const String& url, const String& sheet)
+void XSLImportRule::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet)
{
if (m_styleSheet)
m_styleSheet->setParent(0);
-
- m_styleSheet = XSLStyleSheet::create(this, url);
-
+
+ m_styleSheet = XSLStyleSheet::create(this, href, baseURL);
+
XSLStyleSheet* parent = parentStyleSheet();
if (parent)
m_styleSheet->setParentStyleSheet(parent);
@@ -87,14 +87,14 @@ void XSLImportRule::loadSheet()
String absHref = m_strHref;
XSLStyleSheet* parentSheet = parentStyleSheet();
- if (!parentSheet->href().isNull())
+ if (!parentSheet->putativeBaseURL().isNull())
// use parent styleheet's URL as the base URL
- absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string();
+ absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string();
// Check for a cycle in our import chain. If we encounter a stylesheet
// in our parent chain with the same URL, then just bail.
for (parent = this->parent(); parent; parent = parent->parent()) {
- if (parent->isXSLStyleSheet() && absHref == static_cast<XSLStyleSheet*>(parent)->href())
+ if (parent->isXSLStyleSheet() && absHref == static_cast<XSLStyleSheet*>(parent)->putativeBaseURL().string())
return;
}
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h 2010-05-03 15:55:37.789981560 +0200
@@ -57,7 +57,7 @@ private:
virtual bool isImportRule() { return true; }
// from CachedResourceClient
- virtual void setXSLStyleSheet(const String& url, const String& sheet);
+ virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet);
String m_strHref;
RefPtr<XSLStyleSheet> m_styleSheet;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h 2010-05-03 15:55:37.827976887 +0200
@@ -43,18 +43,18 @@ class XSLImportRule;
class XSLStyleSheet : public StyleSheet {
public:
#if !USE(QXMLQUERY)
- static PassRefPtr<XSLStyleSheet> create(XSLImportRule* parentImport, const String& href)
+ static PassRefPtr<XSLStyleSheet> create(XSLImportRule* parentImport, const String& href, const KURL& baseURL)
{
- return adoptRef(new XSLStyleSheet(parentImport, href));
+ return adoptRef(new XSLStyleSheet(parentImport, href, baseURL));
}
#endif
- static PassRefPtr<XSLStyleSheet> create(Node* parentNode, const String& href)
+ static PassRefPtr<XSLStyleSheet> create(Node* parentNode, const String& href, const KURL& baseURL)
{
- return adoptRef(new XSLStyleSheet(parentNode, href, false));
+ return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, false));
}
- static PassRefPtr<XSLStyleSheet> createEmbedded(Node* parentNode, const String& href)
+ static PassRefPtr<XSLStyleSheet> createEmbedded(Node* parentNode, const String& href, const KURL& baseURL)
{
- return adoptRef(new XSLStyleSheet(parentNode, href, true));
+ return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, true));
}
virtual ~XSLStyleSheet();
@@ -90,9 +90,9 @@ public:
bool processed() const { return m_processed; }
private:
- XSLStyleSheet(Node* parentNode, const String& href, bool embedded);
+ XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded);
#if !USE(QXMLQUERY)
- XSLStyleSheet(XSLImportRule* parentImport, const String& href);
+ XSLStyleSheet(XSLImportRule* parentImport, const String& href, const KURL& baseURL);
#endif
Document* m_ownerDocument;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp 2010-05-03 15:55:37.837079694 +0200
@@ -55,8 +55,8 @@ SOFT_LINK(libxslt, xsltLoadStylesheetPI,
namespace WebCore {
-XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href)
- : StyleSheet(parentRule, href)
+XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href, const KURL& baseURL)
+ : StyleSheet(parentRule, href, baseURL)
, m_ownerDocument(0)
, m_embedded(false)
, m_processed(false) // Child sheets get marked as processed when the libxslt engine has finally seen them.
@@ -66,8 +66,8 @@ XSLStyleSheet::XSLStyleSheet(XSLImportRu
{
}
-XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedded)
- : StyleSheet(parentNode, href)
+XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded)
+ : StyleSheet(parentNode, href, baseURL)
, m_ownerDocument(parentNode->document())
, m_embedded(embedded)
, m_processed(true) // The root sheet starts off processed.
@@ -168,7 +168,7 @@ bool XSLStyleSheet::parseString(const St
}
m_stylesheetDoc = xmlCtxtReadMemory(ctxt, buffer, size,
- href().utf8().data(),
+ putativeBaseURL().string().utf8().data(),
BOMHighByte == 0xFF ? "UTF-16LE" : "UTF-16BE",
XML_PARSE_NOENT | XML_PARSE_DTDATTR | XML_PARSE_NOWARNING | XML_PARSE_NOCDATA);
xmlFreeParserCtxt(ctxt);
@@ -192,7 +192,7 @@ void XSLStyleSheet::loadChildSheets()
if (m_embedded) {
// We have to locate (by ID) the appropriate embedded stylesheet element, so that we can walk the
// import/include list.
- xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(href().utf8().data()));
+ xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(putativeBaseURL().string().utf8().data()));
if (!idNode)
return;
stylesheetRoot = idNode->parent;
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp 2010-05-03 15:55:37.837977083 +0200
@@ -33,8 +33,8 @@
namespace WebCore {
-XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedded)
- : StyleSheet(parentNode, href)
+XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded)
+ : StyleSheet(parentNode, href, baseURL)
, m_ownerDocument(parentNode->document())
, m_embedded(embedded)
{
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp 2010-05-03 15:55:37.837977083 +0200
@@ -226,7 +226,8 @@ static xsltStylesheetPtr xsltStylesheetP
{
if (!cachedStylesheet && stylesheetRootNode) {
cachedStylesheet = XSLStyleSheet::create(stylesheetRootNode->parent() ? stylesheetRootNode->parent() : stylesheetRootNode,
- stylesheetRootNode->document()->url().string());
+ stylesheetRootNode->document()->url().string(),
+ stylesheetRootNode->document()->url()); // FIXME: Should we use baseURL here?
cachedStylesheet->parseString(createMarkup(stylesheetRootNode));
}
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp 2010-05-03 15:55:37.915979873 +0200
@@ -120,7 +120,9 @@ bool XSLTProcessor::transformToString(No
RefPtr<XSLStyleSheet> stylesheet = m_stylesheet;
if (!stylesheet && m_stylesheetRootNode) {
Node* node = m_stylesheetRootNode.get();
- stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node, node->document()->url().string());
+ stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node,
+ node->document()->url().string(),
+ node->document()->url()); // FIXME: Should we use baseURL here?
stylesheet->parseString(createMarkup(node));
}
qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch:
SecurityOrigin.cpp | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- NEW FILE qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch ---
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp.me qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp.me 2010-05-06 11:29:24.000000000 +0200
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp 2010-05-06 11:43:29.000000000 +0200
@@ -112,7 +112,11 @@ SecurityOrigin::SecurityOrigin(const KUR
// By default, only local SecurityOrigins can load local resources.
m_canLoadLocalResources = isLocal();
-
+ if (m_canLoadLocalResources) {
+ // Directories should never be readable.
+ if (!url.hasPath() || url.path().endsWith("/"))
+ m_noAccess = true;
+ }
if (isDefaultPortForProtocol(m_port, m_protocol))
m_port = 0;
}
@@ -207,6 +211,8 @@ bool SecurityOrigin::canRequest(const KU
return false;
RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
+ if (targetOrigin->m_noAccess)
+ return false;
// We call isSameSchemeHostPort here instead of canAccess because we want
// to ignore document.domain effects.
Index: qt.spec
===================================================================
RCS file: /cvs/extras/rpms/qt/F-11/qt.spec,v
retrieving revision 1.296
retrieving revision 1.297
diff -u -p -r1.296 -r1.297
--- qt.spec 29 Apr 2010 07:52:59 -0000 1.296
+++ qt.spec 6 May 2010 16:04:28 -0000 1.297
@@ -13,7 +13,7 @@ Summary: Qt toolkit
Name: qt
Epoch: 1
Version: 4.6.2
-Release: 16%{?dist}
+Release: 17%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions
@@ -70,6 +70,9 @@ Patch102: qt-x11-opensource-src-4.5.3-cv
Patch103: qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch
Patch104: qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch
Patch105: qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch
+Patch106: qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch
+Patch107: qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch
+Patch108: qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch
# kde-qt git patches
Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch
@@ -433,6 +436,9 @@ Qt libraries used for drawing widgets an
%patch103 -p1 -b .cve-2010-0052-destroyed-input-cached
%patch104 -p1 -b .cve-2010-0051-lax-css-parsing-cross-domain-theft
%patch105 -p1 -b .cve-2010-0054-image-element-pointer-name-getter
+%patch106 -p1 -b .cve-2010-0656
+%patch107 -p1 -b .cve-2010-0047
+%patch108 -p1 -b .cve-2010-0648
# kde-qt branch
%patch201 -p1 -b .kde-qt-0001
@@ -1042,6 +1048,10 @@ fi
%changelog
+* Thu May 06 2010 Than Ngo <than at redhat.com> - 4.6.2-17
+- bz#589169, fix multiple flaws in webkit
+ CVE-2010-0047, CVE-2010-0648, CVE-2010-0656
+
* Thu Apr 29 2010 Kevin Kofler <Kevin at tigcc.ticalc.org> - 4.6.2-16
- restore qt-everywhere-opensource-src-4.6.2-cups.patch (#586725)
More information about the scm-commits
mailing list