fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015)

2009-11-02 14:55:24 +00:00 · 2009-11-02 14:55:24 +00:00 · 6fa4cd24f6
parent 87879c2770
commit 6fa4cd24f6
2 changed files with 52 additions and 1 deletions
--- a/kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
+++ b/kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
@ -0,0 +1,45 @@
+Index: xmlhttprequest.cpp
+===================================================================
+--- khtml/ecma/xmlhttprequest.cpp	(revision 954808)
+++ khtml/ecma/xmlhttprequest.cpp	(working copy)
+@@ -342,17 +342,17 @@
+ {
+   aborted = false;
+ 
+  const QString protocol = url.protocol().lower();
+  // Abandon the request when the protocol is other than "http",
+  // instead of blindly doing a KIO::get on other protocols like file:/.
+  if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
+  {
+    abort();
+    return;
+  }
+
+   if (method == "post") {
+-    QString protocol = url.protocol().lower();
+ 
+-    // Abondon the request when the protocol is other than "http",
+-    // instead of blindly changing it to a "get" request.
+-    if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
+-    {
+-      abort();
+-      return;
+-    }
+-
+     // FIXME: determine post encoding correctly by looking in headers
+     // for charset.
+     QByteArray buf;
+@@ -763,11 +763,11 @@
+         if (obj.isValid() && obj.inherits(&DOMDocument::info)) {
+           DOM::Node docNode = static_cast<KJS::DOMDocument *>(obj.imp())->toNode();
+           DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode.handle());
+-          
+
+           try {
+             body = doc->toString().string();
+             // FIXME: also need to set content type, including encoding!
+-  
+
+           } catch(DOM::DOMException& e) {
+             Object err = Error::create(exec, GeneralError, "Exception serializing document");
+             exec->setException(err);
--- a/kdelibs3.spec
+++ b/kdelibs3.spec
@ -27,7 +27,7 @@

 Summary: K Desktop Environment 3 - Libraries
 Version: 3.5.10
-Release: 19%{?dist}
+Release: 20%{?dist}

 Name: kdelibs3
 Obsoletes: kdelibs < 6:%{version}-%{release}
@ -95,6 +95,8 @@ Patch203: kdelibs-3.5.4-CVE-2009-1690.patch
 Patch204: kdelibs-3.5.10-cve-2009-1698.patch
 # fix CVE-2009-2702 - ssl incorrect verification of SSL certificate with NUL in subjectAltName
 Patch205: kdelibs-3.5.10-CVE-2009-2702.patch
+# fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs
+Patch206: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch

 Requires: hicolor-icon-theme
 %if %{kde_settings}
@ -246,6 +248,7 @@ format for easy browsing
 %patch203 -p1 -b .cve-2009-1690
 %patch204 -p1 -b .cve-2009-1698
 %patch205 -p1 -b .cve-2009-2702
+%patch206 -p0 -b .oCERT-2009-015-xmlhttprequest

 sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h

@ -569,6 +572,9 @@ touch --no-create %{_datadir}/icons/crystalsvg 2> /dev/null || :


 %changelog
+* Mon Nov  2 2009 Lukáš Tinkl <ltinkl@redhat.com> - 3.5.10-20
+- fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428
+
 * Mon Sep 28 2009 Rex Dieter <rdieter@fedoraproject.org> - 3.5.10-19
 - Conflicts with kde-settings (#526109)