58 lines
2.0 KiB
Diff
58 lines
2.0 KiB
Diff
|
--- kdelibs-3.5.4/khtml/css/css_valueimpl.cpp.CVE-2009-1698 2009-06-18 10:59:23.000000000 +0200
|
||
|
+++ kdelibs-3.5.4/khtml/css/css_valueimpl.cpp 2009-06-18 12:53:44.000000000 +0200
|
||
|
@@ -736,7 +736,9 @@
|
||
|
text = getValueName(m_value.ident);
|
||
|
break;
|
||
|
case CSSPrimitiveValue::CSS_ATTR:
|
||
|
- // ###
|
||
|
+ text = "attr(";
|
||
|
+ text += DOMString( m_value.string );
|
||
|
+ text += ")";
|
||
|
break;
|
||
|
case CSSPrimitiveValue::CSS_COUNTER:
|
||
|
text = "counter(";
|
||
|
--- kdelibs-3.5.4/khtml/css/cssparser.cpp.CVE-2009-1698 2009-06-18 10:37:13.000000000 +0200
|
||
|
+++ kdelibs-3.5.4/khtml/css/cssparser.cpp 2009-06-23 13:05:20.000000000 +0200
|
||
|
@@ -1318,6 +1318,7 @@
|
||
|
|
||
|
Value *val;
|
||
|
CSSValueImpl *parsedValue = 0;
|
||
|
+ bool valid = true;
|
||
|
while ( (val = valueList->current()) ) {
|
||
|
if ( val->unit == CSSPrimitiveValue::CSS_URI ) {
|
||
|
// url
|
||
|
@@ -1336,6 +1337,14 @@
|
||
|
if ( args->size() != 1)
|
||
|
return false;
|
||
|
Value *a = args->current();
|
||
|
+ if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
|
||
|
+ valid=false;
|
||
|
+ break;
|
||
|
+ }
|
||
|
+ if (qString(a->string)[0] == '-') {
|
||
|
+ valid=false;
|
||
|
+ break;
|
||
|
+ }
|
||
|
parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
|
||
|
}
|
||
|
else
|
||
|
@@ -1367,7 +1376,7 @@
|
||
|
break;
|
||
|
valueList->next();
|
||
|
}
|
||
|
- if ( values->length() ) {
|
||
|
+ if ( valid && values->length() ) {
|
||
|
addProperty( propId, values, important );
|
||
|
valueList->next();
|
||
|
return true;
|
||
|
@@ -1384,7 +1393,8 @@
|
||
|
|
||
|
CounterImpl *counter = new CounterImpl;
|
||
|
Value *i = args->current();
|
||
|
-// if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
||
|
+ if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
|
||
|
+ if (qString(i->string)[0] == '-') goto invalid;
|
||
|
counter->m_identifier = domString(i->string);
|
||
|
if (counters) {
|
||
|
i = args->next();
|