fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015)

2009-11-02 16:10:39 +00:00 · 2009-11-02 16:10:39 +00:00 · 49abe2cf13
commit 49abe2cf13
parent 9a6f37c1ea
2 changed files with 127 additions and 1 deletions
--- a/kdelibs-4.3.3-oCERT-2009-015-xmlhttprequest.patch
+++ b/kdelibs-4.3.3-oCERT-2009-015-xmlhttprequest.patch
@ -0,0 +1,120 @@
+Index: khtml/ecma/xmlhttprequest.cpp
+===================================================================
+--- khtml/ecma/xmlhttprequest.cpp	(revision 1035538)
+++ khtml/ecma/xmlhttprequest.cpp	(revision 1035539)
+@@ -49,7 +49,7 @@
+ 
+ using namespace KJS;
+ using namespace DOM;
+-// 
+//
+ ////////////////////// XMLHttpRequest Object ////////////////////////
+ 
+ /* Source for XMLHttpRequestProtoTable.
+@@ -269,7 +269,7 @@
+ static bool canSetRequestHeader(const QString& name)
+ {
+     static QSet<CaseInsensitiveString> forbiddenHeaders;
+-    
+
+     if (forbiddenHeaders.isEmpty()) {
+ 	static const char* hdrs[] = {
+ 	    "accept-charset",
+@@ -298,12 +298,12 @@
+ 	    "transfer-encoding",
+ 	    "unlock",
+ 	    "upgrade",
+-	    "via" 
+	    "via"
+ 	};
+ 	for (size_t i = 0; i < sizeof(hdrs)/sizeof(char*); ++i)
+ 	    forbiddenHeaders.insert(CaseInsensitiveString(hdrs[i]));
+     }
+-    
+
+     return !forbiddenHeaders.contains(name);
+ }
+ 
+@@ -326,9 +326,9 @@
+ 
+ XMLHttpRequest::~XMLHttpRequest()
+ {
+-  if (onLoadListener) 
+  if (onLoadListener)
+       onLoadListener->deref();
+-  if (onReadyStateChangeListener) 
+  if (onReadyStateChangeListener)
+       onReadyStateChangeListener->deref();
+   delete qObject;
+   qObject = 0;
+@@ -412,18 +412,19 @@
+       return;
+   }
+ 
+  const QString protocol = url.protocol().toLower();
+  // Abandon the request when the protocol is other than "http",
+  // instead of blindly doing a KIO::get on other protocols like file:/.
+  if (!protocol.startsWith(QLatin1String("http")) &&
+      !protocol.startsWith(QLatin1String("webdav")))
+  {
+    ec = DOMException::INVALID_ACCESS_ERR;
+    abort();
+    return;
+  }
+
+   if (method == "post") {
+-    QString protocol = url.protocol().toLower();
+ 
+-    // Abondon the request when the protocol is other than "http",
+-    // instead of blindly changing it to a "get" request.
+-    if (!protocol.startsWith(QLatin1String("http")) &&
+-        !protocol.startsWith(QLatin1String("webdav")))
+-    {
+-      abort();
+-      return;
+-    }
+-
+     // FIXME: determine post encoding correctly by looking in headers
+     // for charset.
+     QByteArray buf = _body.toUtf8();
+@@ -580,7 +581,7 @@
+       ec = DOMException::INVALID_STATE_ERR;
+       return jsString("");
+   }
+-  
+
+   // ### test error flag, return jsNull
+ 
+   if (responseHeaders.isEmpty()) {
+@@ -809,7 +810,7 @@
+       setDOMException(exec, ec);
+       return ret;
+     }
+-  case XMLHttpRequest::GetResponseHeader: 
+  case XMLHttpRequest::GetResponseHeader:
+     {
+       if (args.size() < 1)
+           return throwError(exec, SyntaxError, "Not enough arguments");
+@@ -852,11 +853,11 @@
+         DOM::NodeImpl* docNode = toNode(args[0]);
+         if (docNode && docNode->isDocumentNode()) {
+           DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode);
+-          
+
+           try {
+             body = doc->toString().string();
+             // FIXME: also need to set content type, including encoding!
+-  
+
+           } catch(DOM::DOMException&) {
+             return throwError(exec, GeneralError, "Exception serializing document");
+           }
+@@ -866,7 +867,7 @@
+       }
+ 
+       request->send(body, ec);
+-      setDOMException(exec, ec);  
+      setDOMException(exec, ec);
+       return jsUndefined();
+     }
+   case XMLHttpRequest::SetRequestHeader:
--- a/kdelibs.spec
+++ b/kdelibs.spec
@ -4,7 +4,7 @@

 Summary: K Desktop Environment 4 - Libraries
 Version: 4.3.2
-Release: 4%{?dist}
+Release: 5%{?dist}

 Name: kdelibs
 Epoch: 6
@ -85,6 +85,8 @@ Patch102: kdelibs-4.3.2-kde#1033984.patch

 # security fix
 Patch200: kdelibs-4.3.1-CVE-2009-2702.patch
+# fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs
+Patch201: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch

 BuildRequires: qt4-devel >= 4.5.0
 # qt4%{_?_isa} isn't provided yet -- Rex
@ -210,6 +212,7 @@ format for easy browsing.

 # security fix
 %patch200 -p1 -b .CVE-2009-2702
+%patch201 -p0 -b .oCERT-2009-015-xmlhttprequest

 %build

@ -399,6 +402,9 @@ rm -rf %{buildroot}


 %changelog
+* Mon Nov  2 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.3.2-5
+- fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428
+
 * Mon Oct 12 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.3.2-4
 - khtml kpart crasher nr. 2 (rev.1033984)