fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015)
This commit is contained in:
Lukas Tinkl
parent
3ee8594bea
commit
e22171f202
|
|
@ -0,0 +1,120 @@
|
|||
Index: khtml/ecma/xmlhttprequest.cpp
|
||||
===================================================================
|
||||
--- khtml/ecma/xmlhttprequest.cpp (revision 1035538)
|
||||
+++ khtml/ecma/xmlhttprequest.cpp (revision 1035539)
|
||||
@@ -49,7 +49,7 @@
|
||||
|
||||
using namespace KJS;
|
||||
using namespace DOM;
|
||||
-//
|
||||
+//
|
||||
////////////////////// XMLHttpRequest Object ////////////////////////
|
||||
|
||||
/* Source for XMLHttpRequestProtoTable.
|
||||
@@ -269,7 +269,7 @@
|
||||
static bool canSetRequestHeader(const QString& name)
|
||||
{
|
||||
static QSet<CaseInsensitiveString> forbiddenHeaders;
|
||||
-
|
||||
+
|
||||
if (forbiddenHeaders.isEmpty()) {
|
||||
static const char* hdrs[] = {
|
||||
"accept-charset",
|
||||
@@ -298,12 +298,12 @@
|
||||
"transfer-encoding",
|
||||
"unlock",
|
||||
"upgrade",
|
||||
- "via"
|
||||
+ "via"
|
||||
};
|
||||
for (size_t i = 0; i < sizeof(hdrs)/sizeof(char*); ++i)
|
||||
forbiddenHeaders.insert(CaseInsensitiveString(hdrs[i]));
|
||||
}
|
||||
-
|
||||
+
|
||||
return !forbiddenHeaders.contains(name);
|
||||
}
|
||||
|
||||
@@ -326,9 +326,9 @@
|
||||
|
||||
XMLHttpRequest::~XMLHttpRequest()
|
||||
{
|
||||
- if (onLoadListener)
|
||||
+ if (onLoadListener)
|
||||
onLoadListener->deref();
|
||||
- if (onReadyStateChangeListener)
|
||||
+ if (onReadyStateChangeListener)
|
||||
onReadyStateChangeListener->deref();
|
||||
delete qObject;
|
||||
qObject = 0;
|
||||
@@ -412,18 +412,19 @@
|
||||
return;
|
||||
}
|
||||
|
||||
+ const QString protocol = url.protocol().toLower();
|
||||
+ // Abandon the request when the protocol is other than "http",
|
||||
+ // instead of blindly doing a KIO::get on other protocols like file:/.
|
||||
+ if (!protocol.startsWith(QLatin1String("http")) &&
|
||||
+ !protocol.startsWith(QLatin1String("webdav")))
|
||||
+ {
|
||||
+ ec = DOMException::INVALID_ACCESS_ERR;
|
||||
+ abort();
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (method == "post") {
|
||||
- QString protocol = url.protocol().toLower();
|
||||
|
||||
- // Abondon the request when the protocol is other than "http",
|
||||
- // instead of blindly changing it to a "get" request.
|
||||
- if (!protocol.startsWith(QLatin1String("http")) &&
|
||||
- !protocol.startsWith(QLatin1String("webdav")))
|
||||
- {
|
||||
- abort();
|
||||
- return;
|
||||
- }
|
||||
-
|
||||
// FIXME: determine post encoding correctly by looking in headers
|
||||
// for charset.
|
||||
QByteArray buf = _body.toUtf8();
|
||||
@@ -580,7 +581,7 @@
|
||||
ec = DOMException::INVALID_STATE_ERR;
|
||||
return jsString("");
|
||||
}
|
||||
-
|
||||
+
|
||||
// ### test error flag, return jsNull
|
||||
|
||||
if (responseHeaders.isEmpty()) {
|
||||
@@ -809,7 +810,7 @@
|
||||
setDOMException(exec, ec);
|
||||
return ret;
|
||||
}
|
||||
- case XMLHttpRequest::GetResponseHeader:
|
||||
+ case XMLHttpRequest::GetResponseHeader:
|
||||
{
|
||||
if (args.size() < 1)
|
||||
return throwError(exec, SyntaxError, "Not enough arguments");
|
||||
@@ -852,11 +853,11 @@
|
||||
DOM::NodeImpl* docNode = toNode(args[0]);
|
||||
if (docNode && docNode->isDocumentNode()) {
|
||||
DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode);
|
||||
-
|
||||
+
|
||||
try {
|
||||
body = doc->toString().string();
|
||||
// FIXME: also need to set content type, including encoding!
|
||||
-
|
||||
+
|
||||
} catch(DOM::DOMException&) {
|
||||
return throwError(exec, GeneralError, "Exception serializing document");
|
||||
}
|
||||
@@ -866,7 +867,7 @@
|
||||
}
|
||||
|
||||
request->send(body, ec);
|
||||
- setDOMException(exec, ec);
|
||||
+ setDOMException(exec, ec);
|
||||
return jsUndefined();
|
||||
}
|
||||
case XMLHttpRequest::SetRequestHeader:
|
||||
|
|
@ -4,7 +4,7 @@
|
|||
|
||||
Summary: K Desktop Environment 4 - Libraries
|
||||
Version: 4.3.2
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
|
||||
Name: kdelibs
|
||||
Epoch: 6
|
||||
|
|
@ -85,6 +85,8 @@ Patch102: kdelibs-4.3.2-kde#1033984.patch
|
|||
|
||||
# security fix
|
||||
Patch200: kdelibs-4.3.1-CVE-2009-2702.patch
|
||||
# fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs
|
||||
Patch201: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
|
||||
|
||||
BuildRequires: qt4-devel >= 4.5.0
|
||||
# qt4%{_?_isa} isn't provided yet -- Rex
|
||||
|
|
@ -210,6 +212,7 @@ format for easy browsing.
|
|||
|
||||
# security fix
|
||||
%patch200 -p1 -b .CVE-2009-2702
|
||||
%patch201 -p0 -b .oCERT-2009-015-xmlhttprequest
|
||||
|
||||
%build
|
||||
|
||||
|
|
@ -399,6 +402,9 @@ rm -rf %{buildroot}
|
|||
|
||||
|
||||
%changelog
|
||||
* Mon Nov 2 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.3.2-5
|
||||
- fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428
|
||||
|
||||
* Mon Oct 12 2009 Lukáš Tinkl <ltinkl@redhat.com> - 4.3.2-4
|
||||
- khtml kpart crasher nr. 2 (rev.1033984)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue