jreznik pushed to kdelibs3 (epel7). "fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Thu Apr 2 15:35:58 UTC 2015
>From 6fa4cd24f67a6ff2c9af25f1ee9215bba38bdc02 Mon Sep 17 00:00:00 2001
From: Lukas Tinkl <ltinkl at fedoraproject.org>
Date: Mon, 2 Nov 2009 14:55:24 +0000
Subject: fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015)
diff --git a/kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch b/kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
new file mode 100644
index 0000000..4de8fdc
--- /dev/null
+++ b/kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
@@ -0,0 +1,45 @@
+Index: xmlhttprequest.cpp
+===================================================================
+--- khtml/ecma/xmlhttprequest.cpp (revision 954808)
++++ khtml/ecma/xmlhttprequest.cpp (working copy)
+@@ -342,17 +342,17 @@
+ {
+ aborted = false;
+
++ const QString protocol = url.protocol().lower();
++ // Abandon the request when the protocol is other than "http",
++ // instead of blindly doing a KIO::get on other protocols like file:/.
++ if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
++ {
++ abort();
++ return;
++ }
++
+ if (method == "post") {
+- QString protocol = url.protocol().lower();
+
+- // Abondon the request when the protocol is other than "http",
+- // instead of blindly changing it to a "get" request.
+- if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
+- {
+- abort();
+- return;
+- }
+-
+ // FIXME: determine post encoding correctly by looking in headers
+ // for charset.
+ QByteArray buf;
+@@ -763,11 +763,11 @@
+ if (obj.isValid() && obj.inherits(&DOMDocument::info)) {
+ DOM::Node docNode = static_cast<KJS::DOMDocument *>(obj.imp())->toNode();
+ DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode.handle());
+-
++
+ try {
+ body = doc->toString().string();
+ // FIXME: also need to set content type, including encoding!
+-
++
+ } catch(DOM::DOMException& e) {
+ Object err = Error::create(exec, GeneralError, "Exception serializing document");
+ exec->setException(err);
diff --git a/kdelibs3.spec b/kdelibs3.spec
index 8627961..06d0254 100644
--- a/kdelibs3.spec
+++ b/kdelibs3.spec
@@ -27,7 +27,7 @@
Summary: K Desktop Environment 3 - Libraries
Version: 3.5.10
-Release: 19%{?dist}
+Release: 20%{?dist}
Name: kdelibs3
Obsoletes: kdelibs < 6:%{version}-%{release}
@@ -95,6 +95,8 @@ Patch203: kdelibs-3.5.4-CVE-2009-1690.patch
Patch204: kdelibs-3.5.10-cve-2009-1698.patch
# fix CVE-2009-2702 - ssl incorrect verification of SSL certificate with NUL in subjectAltName
Patch205: kdelibs-3.5.10-CVE-2009-2702.patch
+# fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs
+Patch206: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
Requires: hicolor-icon-theme
%if %{kde_settings}
@@ -246,6 +248,7 @@ format for easy browsing
%patch203 -p1 -b .cve-2009-1690
%patch204 -p1 -b .cve-2009-1698
%patch205 -p1 -b .cve-2009-2702
+%patch206 -p0 -b .oCERT-2009-015-xmlhttprequest
sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h
@@ -569,6 +572,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :
%changelog
+* Mon Nov 2 2009 Lukáš Tinkl <ltinkl at redhat.com> - 3.5.10-20
+- fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428
+
* Mon Sep 28 2009 Rex Dieter <rdieter at fedoraproject.org> - 3.5.10-19
- Conflicts with kde-settings (#526109)
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/kdelibs3.git/commit/?h=epel7&id=6fa4cd24f67a6ff2c9af25f1ee9215bba38bdc02
More information about the scm-commits
mailing list