diff --git a/kdelibs-4.3.3-oCERT-2009-015-xmlhttprequest.patch b/kdelibs-4.3.3-oCERT-2009-015-xmlhttprequest.patch new file mode 100644 index 0000000..3c9dc71 --- /dev/null +++ b/kdelibs-4.3.3-oCERT-2009-015-xmlhttprequest.patch @@ -0,0 +1,120 @@ +Index: khtml/ecma/xmlhttprequest.cpp +=================================================================== +--- khtml/ecma/xmlhttprequest.cpp (revision 1035538) ++++ khtml/ecma/xmlhttprequest.cpp (revision 1035539) +@@ -49,7 +49,7 @@ + + using namespace KJS; + using namespace DOM; +-// ++// + ////////////////////// XMLHttpRequest Object //////////////////////// + + /* Source for XMLHttpRequestProtoTable. +@@ -269,7 +269,7 @@ + static bool canSetRequestHeader(const QString& name) + { + static QSet forbiddenHeaders; +- ++ + if (forbiddenHeaders.isEmpty()) { + static const char* hdrs[] = { + "accept-charset", +@@ -298,12 +298,12 @@ + "transfer-encoding", + "unlock", + "upgrade", +- "via" ++ "via" + }; + for (size_t i = 0; i < sizeof(hdrs)/sizeof(char*); ++i) + forbiddenHeaders.insert(CaseInsensitiveString(hdrs[i])); + } +- ++ + return !forbiddenHeaders.contains(name); + } + +@@ -326,9 +326,9 @@ + + XMLHttpRequest::~XMLHttpRequest() + { +- if (onLoadListener) ++ if (onLoadListener) + onLoadListener->deref(); +- if (onReadyStateChangeListener) ++ if (onReadyStateChangeListener) + onReadyStateChangeListener->deref(); + delete qObject; + qObject = 0; +@@ -412,18 +412,19 @@ + return; + } + ++ const QString protocol = url.protocol().toLower(); ++ // Abandon the request when the protocol is other than "http", ++ // instead of blindly doing a KIO::get on other protocols like file:/. ++ if (!protocol.startsWith(QLatin1String("http")) && ++ !protocol.startsWith(QLatin1String("webdav"))) ++ { ++ ec = DOMException::INVALID_ACCESS_ERR; ++ abort(); ++ return; ++ } ++ + if (method == "post") { +- QString protocol = url.protocol().toLower(); + +- // Abondon the request when the protocol is other than "http", +- // instead of blindly changing it to a "get" request. +- if (!protocol.startsWith(QLatin1String("http")) && +- !protocol.startsWith(QLatin1String("webdav"))) +- { +- abort(); +- return; +- } +- + // FIXME: determine post encoding correctly by looking in headers + // for charset. + QByteArray buf = _body.toUtf8(); +@@ -580,7 +581,7 @@ + ec = DOMException::INVALID_STATE_ERR; + return jsString(""); + } +- ++ + // ### test error flag, return jsNull + + if (responseHeaders.isEmpty()) { +@@ -809,7 +810,7 @@ + setDOMException(exec, ec); + return ret; + } +- case XMLHttpRequest::GetResponseHeader: ++ case XMLHttpRequest::GetResponseHeader: + { + if (args.size() < 1) + return throwError(exec, SyntaxError, "Not enough arguments"); +@@ -852,11 +853,11 @@ + DOM::NodeImpl* docNode = toNode(args[0]); + if (docNode && docNode->isDocumentNode()) { + DOM::DocumentImpl *doc = static_cast(docNode); +- ++ + try { + body = doc->toString().string(); + // FIXME: also need to set content type, including encoding! +- ++ + } catch(DOM::DOMException&) { + return throwError(exec, GeneralError, "Exception serializing document"); + } +@@ -866,7 +867,7 @@ + } + + request->send(body, ec); +- setDOMException(exec, ec); ++ setDOMException(exec, ec); + return jsUndefined(); + } + case XMLHttpRequest::SetRequestHeader: diff --git a/kdelibs.spec b/kdelibs.spec index 9b8f13d..b15f0a0 100644 --- a/kdelibs.spec +++ b/kdelibs.spec @@ -4,7 +4,7 @@ Summary: K Desktop Environment 4 - Libraries Version: 4.3.2 -Release: 4%{?dist} +Release: 5%{?dist} Name: kdelibs Epoch: 6 @@ -85,6 +85,8 @@ Patch102: kdelibs-4.3.2-kde#1033984.patch # security fix Patch200: kdelibs-4.3.1-CVE-2009-2702.patch +# fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs +Patch201: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch BuildRequires: qt4-devel >= 4.5.0 # qt4%{_?_isa} isn't provided yet -- Rex @@ -210,6 +212,7 @@ format for easy browsing. # security fix %patch200 -p1 -b .CVE-2009-2702 +%patch201 -p0 -b .oCERT-2009-015-xmlhttprequest %build @@ -399,6 +402,9 @@ rm -rf %{buildroot} %changelog +* Mon Nov 2 2009 Lukáš Tinkl - 4.3.2-5 +- fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428 + * Mon Oct 12 2009 Lukáš Tinkl - 4.3.2-4 - khtml kpart crasher nr. 2 (rev.1033984)