fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015)

This commit is contained in:
Lukas Tinkl 2009-11-02 16:10:39 +00:00
parent 9a6f37c1ea
commit 49abe2cf13
2 changed files with 127 additions and 1 deletions

View File

@ -0,0 +1,120 @@
Index: khtml/ecma/xmlhttprequest.cpp
===================================================================
--- khtml/ecma/xmlhttprequest.cpp (revision 1035538)
+++ khtml/ecma/xmlhttprequest.cpp (revision 1035539)
@@ -49,7 +49,7 @@
using namespace KJS;
using namespace DOM;
-//
+//
////////////////////// XMLHttpRequest Object ////////////////////////
/* Source for XMLHttpRequestProtoTable.
@@ -269,7 +269,7 @@
static bool canSetRequestHeader(const QString& name)
{
static QSet<CaseInsensitiveString> forbiddenHeaders;
-
+
if (forbiddenHeaders.isEmpty()) {
static const char* hdrs[] = {
"accept-charset",
@@ -298,12 +298,12 @@
"transfer-encoding",
"unlock",
"upgrade",
- "via"
+ "via"
};
for (size_t i = 0; i < sizeof(hdrs)/sizeof(char*); ++i)
forbiddenHeaders.insert(CaseInsensitiveString(hdrs[i]));
}
-
+
return !forbiddenHeaders.contains(name);
}
@@ -326,9 +326,9 @@
XMLHttpRequest::~XMLHttpRequest()
{
- if (onLoadListener)
+ if (onLoadListener)
onLoadListener->deref();
- if (onReadyStateChangeListener)
+ if (onReadyStateChangeListener)
onReadyStateChangeListener->deref();
delete qObject;
qObject = 0;
@@ -412,18 +412,19 @@
return;
}
+ const QString protocol = url.protocol().toLower();
+ // Abandon the request when the protocol is other than "http",
+ // instead of blindly doing a KIO::get on other protocols like file:/.
+ if (!protocol.startsWith(QLatin1String("http")) &&
+ !protocol.startsWith(QLatin1String("webdav")))
+ {
+ ec = DOMException::INVALID_ACCESS_ERR;
+ abort();
+ return;
+ }
+
if (method == "post") {
- QString protocol = url.protocol().toLower();
- // Abondon the request when the protocol is other than "http",
- // instead of blindly changing it to a "get" request.
- if (!protocol.startsWith(QLatin1String("http")) &&
- !protocol.startsWith(QLatin1String("webdav")))
- {
- abort();
- return;
- }
-
// FIXME: determine post encoding correctly by looking in headers
// for charset.
QByteArray buf = _body.toUtf8();
@@ -580,7 +581,7 @@
ec = DOMException::INVALID_STATE_ERR;
return jsString("");
}
-
+
// ### test error flag, return jsNull
if (responseHeaders.isEmpty()) {
@@ -809,7 +810,7 @@
setDOMException(exec, ec);
return ret;
}
- case XMLHttpRequest::GetResponseHeader:
+ case XMLHttpRequest::GetResponseHeader:
{
if (args.size() < 1)
return throwError(exec, SyntaxError, "Not enough arguments");
@@ -852,11 +853,11 @@
DOM::NodeImpl* docNode = toNode(args[0]);
if (docNode && docNode->isDocumentNode()) {
DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode);
-
+
try {
body = doc->toString().string();
// FIXME: also need to set content type, including encoding!
-
+
} catch(DOM::DOMException&) {
return throwError(exec, GeneralError, "Exception serializing document");
}
@@ -866,7 +867,7 @@
}
request->send(body, ec);
- setDOMException(exec, ec);
+ setDOMException(exec, ec);
return jsUndefined();
}
case XMLHttpRequest::SetRequestHeader:

View File

@ -4,7 +4,7 @@
Summary: K Desktop Environment 4 - Libraries
Version: 4.3.2
Release: 4%{?dist}
Release: 5%{?dist}
Name: kdelibs
Epoch: 6
@ -85,6 +85,8 @@ Patch102: kdelibs-4.3.2-kde#1033984.patch
# security fix
Patch200: kdelibs-4.3.1-CVE-2009-2702.patch
# fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs
Patch201: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
BuildRequires: qt4-devel >= 4.5.0
# qt4%{_?_isa} isn't provided yet -- Rex
@ -210,6 +212,7 @@ format for easy browsing.
# security fix
%patch200 -p1 -b .CVE-2009-2702
%patch201 -p0 -b .oCERT-2009-015-xmlhttprequest
%build
@ -399,6 +402,9 @@ rm -rf %{buildroot}
%changelog
* Mon Nov 2 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.3.2-5
- fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428
* Mon Oct 12 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.3.2-4
- khtml kpart crasher nr. 2 (rev.1033984)