fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015)
This commit is contained in:
parent
114650ed8d
commit
2dd67fd426
|
@ -0,0 +1,120 @@
|
||||||
|
Index: khtml/ecma/xmlhttprequest.cpp
|
||||||
|
===================================================================
|
||||||
|
--- khtml/ecma/xmlhttprequest.cpp (revision 1035538)
|
||||||
|
+++ khtml/ecma/xmlhttprequest.cpp (revision 1035539)
|
||||||
|
@@ -49,7 +49,7 @@
|
||||||
|
|
||||||
|
using namespace KJS;
|
||||||
|
using namespace DOM;
|
||||||
|
-//
|
||||||
|
+//
|
||||||
|
////////////////////// XMLHttpRequest Object ////////////////////////
|
||||||
|
|
||||||
|
/* Source for XMLHttpRequestProtoTable.
|
||||||
|
@@ -269,7 +269,7 @@
|
||||||
|
static bool canSetRequestHeader(const QString& name)
|
||||||
|
{
|
||||||
|
static QSet<CaseInsensitiveString> forbiddenHeaders;
|
||||||
|
-
|
||||||
|
+
|
||||||
|
if (forbiddenHeaders.isEmpty()) {
|
||||||
|
static const char* hdrs[] = {
|
||||||
|
"accept-charset",
|
||||||
|
@@ -298,12 +298,12 @@
|
||||||
|
"transfer-encoding",
|
||||||
|
"unlock",
|
||||||
|
"upgrade",
|
||||||
|
- "via"
|
||||||
|
+ "via"
|
||||||
|
};
|
||||||
|
for (size_t i = 0; i < sizeof(hdrs)/sizeof(char*); ++i)
|
||||||
|
forbiddenHeaders.insert(CaseInsensitiveString(hdrs[i]));
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
return !forbiddenHeaders.contains(name);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -326,9 +326,9 @@
|
||||||
|
|
||||||
|
XMLHttpRequest::~XMLHttpRequest()
|
||||||
|
{
|
||||||
|
- if (onLoadListener)
|
||||||
|
+ if (onLoadListener)
|
||||||
|
onLoadListener->deref();
|
||||||
|
- if (onReadyStateChangeListener)
|
||||||
|
+ if (onReadyStateChangeListener)
|
||||||
|
onReadyStateChangeListener->deref();
|
||||||
|
delete qObject;
|
||||||
|
qObject = 0;
|
||||||
|
@@ -412,18 +412,19 @@
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ const QString protocol = url.protocol().toLower();
|
||||||
|
+ // Abandon the request when the protocol is other than "http",
|
||||||
|
+ // instead of blindly doing a KIO::get on other protocols like file:/.
|
||||||
|
+ if (!protocol.startsWith(QLatin1String("http")) &&
|
||||||
|
+ !protocol.startsWith(QLatin1String("webdav")))
|
||||||
|
+ {
|
||||||
|
+ ec = DOMException::INVALID_ACCESS_ERR;
|
||||||
|
+ abort();
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (method == "post") {
|
||||||
|
- QString protocol = url.protocol().toLower();
|
||||||
|
|
||||||
|
- // Abondon the request when the protocol is other than "http",
|
||||||
|
- // instead of blindly changing it to a "get" request.
|
||||||
|
- if (!protocol.startsWith(QLatin1String("http")) &&
|
||||||
|
- !protocol.startsWith(QLatin1String("webdav")))
|
||||||
|
- {
|
||||||
|
- abort();
|
||||||
|
- return;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
// FIXME: determine post encoding correctly by looking in headers
|
||||||
|
// for charset.
|
||||||
|
QByteArray buf = _body.toUtf8();
|
||||||
|
@@ -580,7 +581,7 @@
|
||||||
|
ec = DOMException::INVALID_STATE_ERR;
|
||||||
|
return jsString("");
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
// ### test error flag, return jsNull
|
||||||
|
|
||||||
|
if (responseHeaders.isEmpty()) {
|
||||||
|
@@ -809,7 +810,7 @@
|
||||||
|
setDOMException(exec, ec);
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
- case XMLHttpRequest::GetResponseHeader:
|
||||||
|
+ case XMLHttpRequest::GetResponseHeader:
|
||||||
|
{
|
||||||
|
if (args.size() < 1)
|
||||||
|
return throwError(exec, SyntaxError, "Not enough arguments");
|
||||||
|
@@ -852,11 +853,11 @@
|
||||||
|
DOM::NodeImpl* docNode = toNode(args[0]);
|
||||||
|
if (docNode && docNode->isDocumentNode()) {
|
||||||
|
DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode);
|
||||||
|
-
|
||||||
|
+
|
||||||
|
try {
|
||||||
|
body = doc->toString().string();
|
||||||
|
// FIXME: also need to set content type, including encoding!
|
||||||
|
-
|
||||||
|
+
|
||||||
|
} catch(DOM::DOMException&) {
|
||||||
|
return throwError(exec, GeneralError, "Exception serializing document");
|
||||||
|
}
|
||||||
|
@@ -866,7 +867,7 @@
|
||||||
|
}
|
||||||
|
|
||||||
|
request->send(body, ec);
|
||||||
|
- setDOMException(exec, ec);
|
||||||
|
+ setDOMException(exec, ec);
|
||||||
|
return jsUndefined();
|
||||||
|
}
|
||||||
|
case XMLHttpRequest::SetRequestHeader:
|
|
@ -4,7 +4,7 @@
|
||||||
|
|
||||||
Summary: K Desktop Environment 4 - Libraries
|
Summary: K Desktop Environment 4 - Libraries
|
||||||
Version: 4.3.2
|
Version: 4.3.2
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
|
|
||||||
Name: kdelibs
|
Name: kdelibs
|
||||||
Epoch: 6
|
Epoch: 6
|
||||||
|
@ -85,6 +85,8 @@ Patch102: kdelibs-4.3.2-kde#1033984.patch
|
||||||
|
|
||||||
# security fix
|
# security fix
|
||||||
Patch200: kdelibs-4.3.1-CVE-2009-2702.patch
|
Patch200: kdelibs-4.3.1-CVE-2009-2702.patch
|
||||||
|
# fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs
|
||||||
|
Patch201: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
|
||||||
|
|
||||||
BuildRequires: qt4-devel >= 4.5.0
|
BuildRequires: qt4-devel >= 4.5.0
|
||||||
# qt4%{_?_isa} isn't provided yet -- Rex
|
# qt4%{_?_isa} isn't provided yet -- Rex
|
||||||
|
@ -210,6 +212,7 @@ format for easy browsing.
|
||||||
|
|
||||||
# security fix
|
# security fix
|
||||||
%patch200 -p1 -b .CVE-2009-2702
|
%patch200 -p1 -b .CVE-2009-2702
|
||||||
|
%patch201 -p0 -b .oCERT-2009-015-xmlhttprequest
|
||||||
|
|
||||||
%build
|
%build
|
||||||
|
|
||||||
|
@ -399,6 +402,9 @@ rm -rf %{buildroot}
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Nov 2 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.3.2-5
|
||||||
|
- fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428
|
||||||
|
|
||||||
* Mon Oct 12 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.3.2-4
|
* Mon Oct 12 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.3.2-4
|
||||||
- khtml kpart crasher nr. 2 (rev.1033984)
|
- khtml kpart crasher nr. 2 (rev.1033984)
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue