783 lines
44 KiB
Diff
783 lines
44 KiB
Diff
|
diff -U0 qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog 2010-05-03 15:55:37.703101680 +0200
|
||
|
@@ -0,0 +1,90 @@
|
||
|
+2010-01-20 Adam Barth <abarth@webkit.org>
|
||
|
+
|
||
|
+ Reviewed by Darin Adler.
|
||
|
+
|
||
|
+ Stylesheet href property shows redirected URL unlike other browsers
|
||
|
+ https://bugs.webkit.org/show_bug.cgi?id=33683
|
||
|
+
|
||
|
+ Teach StyleSheet the difference between original and final URLs in
|
||
|
+ redirect chains. Unfortunately, StyleSheet needs to know both of these
|
||
|
+ URLs. The original URL is needed for the href property and the final
|
||
|
+ URL is needed as the baseURL.
|
||
|
+
|
||
|
+ This change required touching a lot of lines of code because we need to
|
||
|
+ plumb this information to the StyleSheet object. I audited all
|
||
|
+ existing clients of href() and setHref() to see whether they wanted the
|
||
|
+ original or final URLs. I then updated the clients (except the JS
|
||
|
+ bindings themselves) to use the correct accessor.
|
||
|
+
|
||
|
+ Test: http/tests/security/stylesheet-href-redirect.html
|
||
|
+
|
||
|
+ * css/CSSImportRule.cpp:
|
||
|
+ (WebCore::CSSImportRule::setCSSStyleSheet):
|
||
|
+ (WebCore::CSSImportRule::insertedIntoParent):
|
||
|
+ * css/CSSImportRule.h:
|
||
|
+ * css/CSSStyleSheet.cpp:
|
||
|
+ (WebCore::CSSStyleSheet::CSSStyleSheet):
|
||
|
+ * css/CSSStyleSheet.h:
|
||
|
+ (WebCore::CSSStyleSheet::create):
|
||
|
+ (WebCore::CSSStyleSheet::createInline): Added a new constructor to deal
|
||
|
+ with "inline" style sheets that don't have a distinct original and
|
||
|
+ final URL.
|
||
|
+ * css/StyleBase.cpp:
|
||
|
+ (WebCore::StyleBase::baseURL): This code wants to use the final URL,
|
||
|
+ not the original URL. Updated it to grab the baseURL directly.
|
||
|
+ * css/StyleSheet.cpp:
|
||
|
+ (WebCore::StyleSheet::StyleSheet):
|
||
|
+ * css/StyleSheet.h:
|
||
|
+ (WebCore::StyleSheet::href):
|
||
|
+ (WebCore::StyleSheet::setBaseURL): This function really just updates
|
||
|
+ the base URL of the style sheet, so I made it more explicit.
|
||
|
+ (WebCore::StyleSheet::putativeBaseURL): We need an accessor for the
|
||
|
+ base URL, but baseURL is already taken.
|
||
|
+ * dom/Document.cpp:
|
||
|
+ (WebCore::Document::updateBaseURL):
|
||
|
+ (WebCore::Document::pageUserSheet):
|
||
|
+ (WebCore::Document::pageGroupUserSheets):
|
||
|
+ (WebCore::Document::elementSheet):
|
||
|
+ (WebCore::Document::mappedElementSheet):
|
||
|
+ * dom/ProcessingInstruction.cpp:
|
||
|
+ (WebCore::ProcessingInstruction::checkStyleSheet):
|
||
|
+ (WebCore::ProcessingInstruction::setCSSStyleSheet):
|
||
|
+ (WebCore::ProcessingInstruction::setXSLStyleSheet):
|
||
|
+ * dom/ProcessingInstruction.h:
|
||
|
+ * dom/StyleElement.cpp:
|
||
|
+ (WebCore::StyleElement::createSheet):
|
||
|
+ * html/HTMLLinkElement.cpp:
|
||
|
+ (WebCore::HTMLLinkElement::setCSSStyleSheet):
|
||
|
+ * html/HTMLLinkElement.h:
|
||
|
+ * loader/CachedCSSStyleSheet.cpp:
|
||
|
+ (WebCore::CachedCSSStyleSheet::didAddClient):
|
||
|
+ (WebCore::CachedCSSStyleSheet::checkNotify): This code now passes both
|
||
|
+ the original and final URL into setCSSStyleSheet so that the style
|
||
|
+ sheet can have both.
|
||
|
+ * loader/CachedResourceClient.h:
|
||
|
+ (WebCore::CachedResourceClient::setCSSStyleSheet):
|
||
|
+ (WebCore::CachedResourceClient::setXSLStyleSheet):
|
||
|
+ * loader/CachedXSLStyleSheet.cpp:
|
||
|
+ (WebCore::CachedXSLStyleSheet::didAddClient):
|
||
|
+ (WebCore::CachedXSLStyleSheet::checkNotify): I don't have any direct
|
||
|
+ evidence that we need to change the XSLStyleSheet behavior, which is
|
||
|
+ why I wasn't able to add a test for the behavior. However, the objects
|
||
|
+ are parallel enough that it seemed like the right thing to do.
|
||
|
+ * xml/XSLImportRule.cpp:
|
||
|
+ (WebCore::XSLImportRule::setXSLStyleSheet):
|
||
|
+ (WebCore::XSLImportRule::loadSheet):
|
||
|
+ * xml/XSLImportRule.h:
|
||
|
+ * xml/XSLStyleSheet.h:
|
||
|
+ (WebCore::XSLStyleSheet::create):
|
||
|
+ (WebCore::XSLStyleSheet::createEmbedded):
|
||
|
+ * xml/XSLStyleSheetLibxslt.cpp:
|
||
|
+ (WebCore::XSLStyleSheet::XSLStyleSheet):
|
||
|
+ (WebCore::XSLStyleSheet::parseString):
|
||
|
+ (WebCore::XSLStyleSheet::loadChildSheets):
|
||
|
+ * xml/XSLStyleSheetQt.cpp:
|
||
|
+ (WebCore::XSLStyleSheet::XSLStyleSheet):
|
||
|
+ * xml/XSLTProcessorLibxslt.cpp:
|
||
|
+ (WebCore::xsltStylesheetPointer):
|
||
|
+ * xml/XSLTProcessorQt.cpp:
|
||
|
+ (WebCore::XSLTProcessor::transformToString):
|
||
|
+
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.652102626 +0200
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp 2010-05-03 16:49:14.631038884 +0200
|
||
|
@@ -55,11 +55,11 @@ CSSImportRule::~CSSImportRule()
|
||
|
m_cachedSheet->removeClient(this);
|
||
|
}
|
||
|
|
||
|
-void CSSImportRule::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
|
||
|
+void CSSImportRule::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
|
||
|
{
|
||
|
if (m_styleSheet)
|
||
|
m_styleSheet->setParent(0);
|
||
|
- m_styleSheet = CSSStyleSheet::create(this, url, charset);
|
||
|
+ m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset);
|
||
|
|
||
|
bool crossOriginCSS = false;
|
||
|
bool validMIMEType = false;
|
||
|
@@ -70,17 +70,17 @@ void CSSImportRule::setCSSStyleSheet(con
|
||
|
String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
|
||
|
m_styleSheet->parseString(sheetText, strict);
|
||
|
|
||
|
- if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
|
||
|
+ if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(baseURL))
|
||
|
crossOriginCSS = true;
|
||
|
|
||
|
if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader())
|
||
|
- m_styleSheet = CSSStyleSheet::create(this, url, charset);
|
||
|
+ m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset);
|
||
|
|
||
|
if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) {
|
||
|
// Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
|
||
|
DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
|
||
|
DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n"));
|
||
|
- if (url.endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) {
|
||
|
+ if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) {
|
||
|
ASSERT(m_styleSheet->length() == 1);
|
||
|
ExceptionCode ec;
|
||
|
m_styleSheet->deleteRule(0, ec);
|
||
|
@@ -109,15 +109,16 @@ void CSSImportRule::insertedIntoParent()
|
||
|
return;
|
||
|
|
||
|
String absHref = m_strHref;
|
||
|
- if (!parentSheet->href().isNull())
|
||
|
+ if (!parentSheet->putativeBaseURL().isNull())
|
||
|
// use parent styleheet's URL as the base URL
|
||
|
- absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string();
|
||
|
+ absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string();
|
||
|
|
||
|
// Check for a cycle in our import chain. If we encounter a stylesheet
|
||
|
// in our parent chain with the same URL, then just bail.
|
||
|
StyleBase* root = this;
|
||
|
for (StyleBase* curr = parent(); curr; curr = curr->parent()) {
|
||
|
- if (curr->isCSSStyleSheet() && absHref == static_cast<CSSStyleSheet*>(curr)->href())
|
||
|
+ // FIXME: This is wrong if the putativeBaseURL was updated via document::updateBaseURL.
|
||
|
+ if (curr->isCSSStyleSheet() && absHref == static_cast<CSSStyleSheet*>(curr)->putativeBaseURL().string())
|
||
|
return;
|
||
|
root = curr;
|
||
|
}
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h 2010-05-03 15:55:37.740976769 +0200
|
||
|
@@ -63,7 +63,7 @@ private:
|
||
|
virtual unsigned short type() const { return IMPORT_RULE; }
|
||
|
|
||
|
// from CachedResourceClient
|
||
|
- virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*);
|
||
|
+ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*);
|
||
|
|
||
|
String m_strHref;
|
||
|
RefPtr<MediaList> m_lstMedia;
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.660977242 +0200
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp 2010-05-03 15:55:37.740976769 +0200
|
||
|
@@ -33,8 +33,8 @@
|
||
|
|
||
|
namespace WebCore {
|
||
|
|
||
|
-CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset)
|
||
|
- : StyleSheet(parentSheet, href)
|
||
|
+CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset)
|
||
|
+ : StyleSheet(parentSheet, href, baseURL)
|
||
|
, m_doc(parentSheet ? parentSheet->doc() : 0)
|
||
|
, m_namespaces(0)
|
||
|
, m_charset(charset)
|
||
|
@@ -45,8 +45,8 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe
|
||
|
{
|
||
|
}
|
||
|
|
||
|
-CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const String& charset)
|
||
|
- : StyleSheet(parentNode, href)
|
||
|
+CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, const String& charset)
|
||
|
+ : StyleSheet(parentNode, href, baseURL)
|
||
|
, m_doc(parentNode->document())
|
||
|
, m_namespaces(0)
|
||
|
, m_charset(charset)
|
||
|
@@ -57,8 +57,8 @@ CSSStyleSheet::CSSStyleSheet(Node* paren
|
||
|
{
|
||
|
}
|
||
|
|
||
|
-CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset)
|
||
|
- : StyleSheet(ownerRule, href)
|
||
|
+CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset)
|
||
|
+ : StyleSheet(ownerRule, href, baseURL)
|
||
|
, m_namespaces(0)
|
||
|
, m_charset(charset)
|
||
|
, m_loadCompleted(false)
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.660977242 +0200
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h 2010-05-03 15:55:37.745101706 +0200
|
||
|
@@ -38,27 +38,31 @@ class CSSStyleSheet : public StyleSheet
|
||
|
public:
|
||
|
static PassRefPtr<CSSStyleSheet> create()
|
||
|
{
|
||
|
- return adoptRef(new CSSStyleSheet(static_cast<CSSStyleSheet*>(0), String(), String()));
|
||
|
+ return adoptRef(new CSSStyleSheet(static_cast<CSSStyleSheet*>(0), String(), KURL(), String()));
|
||
|
}
|
||
|
static PassRefPtr<CSSStyleSheet> create(Node* ownerNode)
|
||
|
{
|
||
|
- return adoptRef(new CSSStyleSheet(ownerNode, String(), String()));
|
||
|
+ return adoptRef(new CSSStyleSheet(ownerNode, String(), KURL(), String()));
|
||
|
}
|
||
|
- static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href)
|
||
|
+ static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const KURL& baseURL)
|
||
|
{
|
||
|
- return adoptRef(new CSSStyleSheet(ownerNode, href, String()));
|
||
|
+ return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, String()));
|
||
|
}
|
||
|
- static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const String& charset)
|
||
|
+ static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset)
|
||
|
{
|
||
|
- return adoptRef(new CSSStyleSheet(ownerNode, href, charset));
|
||
|
+ return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, charset));
|
||
|
}
|
||
|
- static PassRefPtr<CSSStyleSheet> create(CSSRule* ownerRule, const String& href, const String& charset)
|
||
|
+ static PassRefPtr<CSSStyleSheet> create(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset)
|
||
|
{
|
||
|
- return adoptRef(new CSSStyleSheet(ownerRule, href, charset));
|
||
|
+ return adoptRef(new CSSStyleSheet(ownerRule, href, baseURL, charset));
|
||
|
+ }
|
||
|
+ static PassRefPtr<CSSStyleSheet> createInline(Node* ownerNode, const KURL& baseURL)
|
||
|
+ {
|
||
|
+ return adoptRef(new CSSStyleSheet(ownerNode, baseURL.string(), baseURL, String()));
|
||
|
}
|
||
|
|
||
|
virtual ~CSSStyleSheet();
|
||
|
-
|
||
|
+
|
||
|
CSSRule* ownerRule() const;
|
||
|
PassRefPtr<CSSRuleList> cssRules(bool omitCharsetRules = false);
|
||
|
unsigned insertRule(const String& rule, unsigned index, ExceptionCode&);
|
||
|
@@ -72,7 +76,7 @@ public:
|
||
|
|
||
|
void addNamespace(CSSParser*, const AtomicString& prefix, const AtomicString& uri);
|
||
|
const AtomicString& determineNamespace(const AtomicString& prefix);
|
||
|
-
|
||
|
+
|
||
|
virtual void styleSheetChanged();
|
||
|
|
||
|
virtual bool parseString(const String&, bool strict = true);
|
||
|
@@ -99,10 +103,10 @@ public:
|
||
|
bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; }
|
||
|
|
||
|
private:
|
||
|
- CSSStyleSheet(Node* ownerNode, const String& href, const String& charset);
|
||
|
- CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset);
|
||
|
- CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset);
|
||
|
-
|
||
|
+ CSSStyleSheet(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset);
|
||
|
+ CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset);
|
||
|
+ CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset);
|
||
|
+
|
||
|
virtual bool isCSSStyleSheet() const { return true; }
|
||
|
virtual String type() const { return "text/css"; }
|
||
|
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:20.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp 2010-05-03 15:55:37.757976382 +0200
|
||
|
@@ -56,9 +56,9 @@ KURL StyleBase::baseURL() const
|
||
|
StyleSheet* sheet = const_cast<StyleBase*>(this)->stylesheet();
|
||
|
if (!sheet)
|
||
|
return KURL();
|
||
|
- if (!sheet->href().isNull())
|
||
|
- return KURL(ParsedURLString, sheet->href());
|
||
|
- if (sheet->parent())
|
||
|
+ if (!sheet->putativeBaseURL().isNull())
|
||
|
+ return sheet->putativeBaseURL();
|
||
|
+ if (sheet->parent())
|
||
|
return sheet->parent()->baseURL();
|
||
|
if (!sheet->ownerNode())
|
||
|
return KURL();
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp 2010-05-03 15:55:37.758976847 +0200
|
||
|
@@ -26,27 +26,30 @@
|
||
|
|
||
|
namespace WebCore {
|
||
|
|
||
|
-StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href)
|
||
|
+StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL)
|
||
|
: StyleList(parentSheet)
|
||
|
, m_parentNode(0)
|
||
|
- , m_strHref(href)
|
||
|
+ , m_href(href)
|
||
|
+ , m_baseURL(baseURL)
|
||
|
, m_disabled(false)
|
||
|
{
|
||
|
}
|
||
|
|
||
|
|
||
|
-StyleSheet::StyleSheet(Node* parentNode, const String& href)
|
||
|
+StyleSheet::StyleSheet(Node* parentNode, const String& href, const KURL& baseURL)
|
||
|
: StyleList(0)
|
||
|
, m_parentNode(parentNode)
|
||
|
- , m_strHref(href)
|
||
|
+ , m_href(href)
|
||
|
+ , m_baseURL(baseURL)
|
||
|
, m_disabled(false)
|
||
|
{
|
||
|
}
|
||
|
|
||
|
-StyleSheet::StyleSheet(StyleBase* owner, const String& href)
|
||
|
+StyleSheet::StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL)
|
||
|
: StyleList(owner)
|
||
|
, m_parentNode(0)
|
||
|
- , m_strHref(href)
|
||
|
+ , m_href(href)
|
||
|
+ , m_baseURL(baseURL)
|
||
|
, m_disabled(false)
|
||
|
{
|
||
|
}
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h 2010-05-03 15:55:37.758976847 +0200
|
||
|
@@ -41,8 +41,18 @@ public:
|
||
|
|
||
|
Node* ownerNode() const { return m_parentNode; }
|
||
|
StyleSheet *parentStyleSheet() const;
|
||
|
- const String& href() const { return m_strHref; }
|
||
|
- void setHref(const String& href) { m_strHref = href; }
|
||
|
+
|
||
|
+ // Note that href is the URL that started the redirect chain that led to
|
||
|
+ // this style sheet. This property probably isn't useful for much except
|
||
|
+ // the JavaScript binding (which needs to use this value for security).
|
||
|
+ const String& href() const { return m_href; }
|
||
|
+
|
||
|
+ void setBaseURL(const KURL& baseURL) { m_baseURL = baseURL; }
|
||
|
+
|
||
|
+ // Notice that this object inherits a baseURL function from StyleBase that
|
||
|
+ // crawls the parent() relation looking for a non-0 putativeBaseURL.
|
||
|
+ const KURL& putativeBaseURL() const { return m_baseURL; }
|
||
|
+
|
||
|
const String& title() const { return m_strTitle; }
|
||
|
void setTitle(const String& s) { m_strTitle = s; }
|
||
|
MediaList* media() const { return m_media.get(); }
|
||
|
@@ -58,15 +68,16 @@ public:
|
||
|
virtual bool parseString(const String&, bool strict = true) = 0;
|
||
|
|
||
|
protected:
|
||
|
- StyleSheet(Node* ownerNode, const String& href);
|
||
|
- StyleSheet(StyleSheet* parentSheet, const String& href);
|
||
|
- StyleSheet(StyleBase* owner, const String& href);
|
||
|
+ StyleSheet(Node* ownerNode, const String& href, const KURL& baseURL);
|
||
|
+ StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL);
|
||
|
+ StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL);
|
||
|
|
||
|
private:
|
||
|
virtual bool isStyleSheet() const { return true; }
|
||
|
|
||
|
Node* m_parentNode;
|
||
|
- String m_strHref;
|
||
|
+ String m_href;
|
||
|
+ KURL m_baseURL;
|
||
|
String m_strTitle;
|
||
|
RefPtr<MediaList> m_media;
|
||
|
bool m_disabled;
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp 2010-05-03 15:55:37.760977901 +0200
|
||
|
@@ -1920,9 +1920,9 @@ void Document::updateBaseURL()
|
||
|
m_baseURL = KURL();
|
||
|
|
||
|
if (m_elemSheet)
|
||
|
- m_elemSheet->setHref(m_baseURL.string());
|
||
|
+ m_elemSheet->setBaseURL(m_baseURL);
|
||
|
if (m_mappedElementSheet)
|
||
|
- m_mappedElementSheet->setHref(m_baseURL.string());
|
||
|
+ m_mappedElementSheet->setBaseURL(m_baseURL);
|
||
|
}
|
||
|
|
||
|
String Document::userAgent(const KURL& url) const
|
||
|
@@ -1944,7 +1944,7 @@ CSSStyleSheet* Document::pageUserSheet()
|
||
|
return 0;
|
||
|
|
||
|
// Parse the sheet and cache it.
|
||
|
- m_pageUserSheet = CSSStyleSheet::create(this, settings()->userStyleSheetLocation());
|
||
|
+ m_pageUserSheet = CSSStyleSheet::createInline(this, settings()->userStyleSheetLocation());
|
||
|
m_pageUserSheet->setIsUserStyleSheet(true);
|
||
|
m_pageUserSheet->parseString(userSheetText, !inCompatMode());
|
||
|
return m_pageUserSheet.get();
|
||
|
@@ -1979,7 +1979,7 @@ const Vector<RefPtr<CSSStyleSheet> >* Do
|
||
|
const UserStyleSheet* sheet = sheets->at(i).get();
|
||
|
if (!UserContentURLPattern::matchesPatterns(url(), sheet->whitelist(), sheet->blacklist()))
|
||
|
continue;
|
||
|
- RefPtr<CSSStyleSheet> parsedSheet = CSSStyleSheet::create(const_cast<Document*>(this), sheet->url());
|
||
|
+ RefPtr<CSSStyleSheet> parsedSheet = CSSStyleSheet::createInline(const_cast<Document*>(this), sheet->url());
|
||
|
parsedSheet->setIsUserStyleSheet(true);
|
||
|
parsedSheet->parseString(sheet->source(), !inCompatMode());
|
||
|
if (!m_pageGroupUserSheets)
|
||
|
@@ -2001,14 +2001,14 @@ void Document::clearPageGroupUserSheets(
|
||
|
CSSStyleSheet* Document::elementSheet()
|
||
|
{
|
||
|
if (!m_elemSheet)
|
||
|
- m_elemSheet = CSSStyleSheet::create(this, m_baseURL.string());
|
||
|
+ m_elemSheet = CSSStyleSheet::createInline(this, m_baseURL);
|
||
|
return m_elemSheet.get();
|
||
|
}
|
||
|
|
||
|
CSSStyleSheet* Document::mappedElementSheet()
|
||
|
{
|
||
|
if (!m_mappedElementSheet)
|
||
|
- m_mappedElementSheet = CSSStyleSheet::create(this, m_baseURL.string());
|
||
|
+ m_mappedElementSheet = CSSStyleSheet::createInline(this, m_baseURL);
|
||
|
return m_mappedElementSheet.get();
|
||
|
}
|
||
|
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp 2010-05-03 15:55:37.761977599 +0200
|
||
|
@@ -138,7 +138,8 @@ void ProcessingInstruction::checkStyleSh
|
||
|
// We need to make a synthetic XSLStyleSheet that is embedded. It needs to be able
|
||
|
// to kick off import/include loads that can hang off some parent sheet.
|
||
|
if (m_isXSL) {
|
||
|
- m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref);
|
||
|
+ KURL baseURL = KURL(ParsedURLString, m_localHref);
|
||
|
+ m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref, baseURL);
|
||
|
m_loading = false;
|
||
|
}
|
||
|
#endif
|
||
|
@@ -196,12 +197,12 @@ bool ProcessingInstruction::sheetLoaded(
|
||
|
return false;
|
||
|
}
|
||
|
|
||
|
-void ProcessingInstruction::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
|
||
|
+void ProcessingInstruction::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
|
||
|
{
|
||
|
#if ENABLE(XSLT)
|
||
|
ASSERT(!m_isXSL);
|
||
|
#endif
|
||
|
- RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, url, charset);
|
||
|
+ RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, href, baseURL, charset);
|
||
|
m_sheet = newSheet;
|
||
|
// We don't need the cross-origin security check here because we are
|
||
|
// getting the sheet text in "strict" mode. This enforces a valid CSS MIME
|
||
|
@@ -213,10 +214,10 @@ void ProcessingInstruction::setCSSStyleS
|
||
|
}
|
||
|
|
||
|
#if ENABLE(XSLT)
|
||
|
-void ProcessingInstruction::setXSLStyleSheet(const String& url, const String& sheet)
|
||
|
+void ProcessingInstruction::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet)
|
||
|
{
|
||
|
ASSERT(m_isXSL);
|
||
|
- m_sheet = XSLStyleSheet::create(this, url);
|
||
|
+ m_sheet = XSLStyleSheet::create(this, href, baseURL);
|
||
|
parseStyleSheet(sheet);
|
||
|
}
|
||
|
#endif
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h 2010-05-03 15:55:37.761977599 +0200
|
||
|
@@ -68,9 +68,9 @@ private:
|
||
|
virtual void removedFromDocument();
|
||
|
|
||
|
void checkStyleSheet();
|
||
|
- virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*);
|
||
|
+ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*);
|
||
|
#if ENABLE(XSLT)
|
||
|
- virtual void setXSLStyleSheet(const String& url, const String& sheet);
|
||
|
+ virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet);
|
||
|
#endif
|
||
|
|
||
|
bool isLoading() const;
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp 2010-05-03 15:55:37.762976937 +0200
|
||
|
@@ -103,7 +103,7 @@ void StyleElement::createSheet(Element*
|
||
|
if (screenEval.eval(mediaList.get()) || printEval.eval(mediaList.get())) {
|
||
|
document->addPendingSheet();
|
||
|
setLoading(true);
|
||
|
- m_sheet = CSSStyleSheet::create(e, String(), document->inputEncoding());
|
||
|
+ m_sheet = CSSStyleSheet::create(e, String(), KURL(), document->inputEncoding());
|
||
|
m_sheet->parseString(text, !document->inCompatMode());
|
||
|
m_sheet->setMedia(mediaList.get());
|
||
|
m_sheet->setTitle(e->title());
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp 2010-05-03 17:02:45.528101154 +0200
|
||
|
@@ -253,9 +253,9 @@ void HTMLLinkElement::finishParsingChild
|
||
|
HTMLElement::finishParsingChildren();
|
||
|
}
|
||
|
|
||
|
-void HTMLLinkElement::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
|
||
|
+void HTMLLinkElement::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
|
||
|
{
|
||
|
- m_sheet = CSSStyleSheet::create(this, url, charset);
|
||
|
+ m_sheet = CSSStyleSheet::create(this, href, baseURL, charset);
|
||
|
|
||
|
bool strictParsing = !document()->inCompatMode();
|
||
|
bool enforceMIMEType = strictParsing;
|
||
|
@@ -275,11 +275,11 @@ void HTMLLinkElement::setCSSStyleSheet(c
|
||
|
// valid CSS rule.
|
||
|
// This prevents an attacker playing games by injecting CSS strings into
|
||
|
// HTML, XML, JSON, etc. etc.
|
||
|
- if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
|
||
|
+ if (!document()->securityOrigin()->canRequest(baseURL))
|
||
|
crossOriginCSS = true;
|
||
|
|
||
|
if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader())
|
||
|
- m_sheet = CSSStyleSheet::create(this, url, charset);
|
||
|
+ m_sheet = CSSStyleSheet::create(this, href, baseURL, charset);
|
||
|
|
||
|
if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) {
|
||
|
// Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
|
||
|
@@ -287,7 +287,7 @@ void HTMLLinkElement::setCSSStyleSheet(c
|
||
|
DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n"));
|
||
|
// There are two variants of KHTMLFixes.css. One is equal to mediaWikiKHTMLFixesStyleSheet,
|
||
|
// while the other lacks the second trailing newline.
|
||
|
- if (url.endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText)
|
||
|
+ if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText)
|
||
|
&& sheetText.length() >= mediaWikiKHTMLFixesStyleSheet.length() - 1) {
|
||
|
ASSERT(m_sheet->length() == 1);
|
||
|
ExceptionCode ec;
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h 2010-05-03 15:55:37.773083096 +0200
|
||
|
@@ -79,7 +79,7 @@ public:
|
||
|
virtual void removedFromDocument();
|
||
|
|
||
|
// from CachedResourceClient
|
||
|
- virtual void setCSSStyleSheet(const String &url, const String& charset, const CachedCSSStyleSheet* sheet);
|
||
|
+ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet);
|
||
|
bool isLoading() const;
|
||
|
virtual bool sheetLoaded();
|
||
|
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp 2010-05-03 15:55:37.774976529 +0200
|
||
|
@@ -52,9 +52,9 @@ CachedCSSStyleSheet::~CachedCSSStyleShee
|
||
|
void CachedCSSStyleSheet::didAddClient(CachedResourceClient *c)
|
||
|
{
|
||
|
if (!m_loading)
|
||
|
- c->setCSSStyleSheet(m_url, m_decoder->encoding().name(), this);
|
||
|
+ c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this);
|
||
|
}
|
||
|
-
|
||
|
+
|
||
|
void CachedCSSStyleSheet::allClientsRemoved()
|
||
|
{
|
||
|
if (isSafeToMakePurgeable())
|
||
|
@@ -112,7 +112,7 @@ void CachedCSSStyleSheet::checkNotify()
|
||
|
|
||
|
CachedResourceClientWalker w(m_clients);
|
||
|
while (CachedResourceClient *c = w.next())
|
||
|
- c->setCSSStyleSheet(m_response.url().string(), m_decoder->encoding().name(), this);
|
||
|
+ c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this);
|
||
|
}
|
||
|
|
||
|
void CachedCSSStyleSheet::error()
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h 2010-05-03 15:55:37.775976911 +0200
|
||
|
@@ -42,6 +42,7 @@ namespace WebCore {
|
||
|
class String;
|
||
|
class Image;
|
||
|
class IntRect;
|
||
|
+ class KURL;
|
||
|
|
||
|
/**
|
||
|
* @internal
|
||
|
@@ -65,8 +66,8 @@ namespace WebCore {
|
||
|
// e.g., in the b/f cache or in a background tab).
|
||
|
virtual bool willRenderImage(CachedImage*) { return false; }
|
||
|
|
||
|
- virtual void setCSSStyleSheet(const String& /*URL*/, const String& /*charset*/, const CachedCSSStyleSheet*) { }
|
||
|
- virtual void setXSLStyleSheet(const String& /*URL*/, const String& /*sheet*/) { }
|
||
|
+ virtual void setCSSStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* charset */, const CachedCSSStyleSheet*) { }
|
||
|
+ virtual void setXSLStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* sheet */) { }
|
||
|
|
||
|
virtual void fontLoaded(CachedFont*) {};
|
||
|
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp 2010-05-03 15:55:37.789038977 +0200
|
||
|
@@ -48,7 +48,7 @@ CachedXSLStyleSheet::CachedXSLStyleSheet
|
||
|
void CachedXSLStyleSheet::didAddClient(CachedResourceClient* c)
|
||
|
{
|
||
|
if (!m_loading)
|
||
|
- c->setXSLStyleSheet(m_url, m_sheet);
|
||
|
+ c->setXSLStyleSheet(m_url, m_response.url(), m_sheet);
|
||
|
}
|
||
|
|
||
|
void CachedXSLStyleSheet::setEncoding(const String& chs)
|
||
|
@@ -83,10 +83,9 @@ void CachedXSLStyleSheet::checkNotify()
|
||
|
|
||
|
CachedResourceClientWalker w(m_clients);
|
||
|
while (CachedResourceClient *c = w.next())
|
||
|
- c->setXSLStyleSheet(m_url, m_sheet);
|
||
|
+ c->setXSLStyleSheet(m_url, m_response.url(), m_sheet);
|
||
|
}
|
||
|
|
||
|
-
|
||
|
void CachedXSLStyleSheet::error()
|
||
|
{
|
||
|
m_loading = false;
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp 2010-05-03 15:55:37.789038977 +0200
|
||
|
@@ -52,13 +52,13 @@ XSLStyleSheet* XSLImportRule::parentStyl
|
||
|
return (parent() && parent()->isXSLStyleSheet()) ? static_cast<XSLStyleSheet*>(parent()) : 0;
|
||
|
}
|
||
|
|
||
|
-void XSLImportRule::setXSLStyleSheet(const String& url, const String& sheet)
|
||
|
+void XSLImportRule::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet)
|
||
|
{
|
||
|
if (m_styleSheet)
|
||
|
m_styleSheet->setParent(0);
|
||
|
-
|
||
|
- m_styleSheet = XSLStyleSheet::create(this, url);
|
||
|
-
|
||
|
+
|
||
|
+ m_styleSheet = XSLStyleSheet::create(this, href, baseURL);
|
||
|
+
|
||
|
XSLStyleSheet* parent = parentStyleSheet();
|
||
|
if (parent)
|
||
|
m_styleSheet->setParentStyleSheet(parent);
|
||
|
@@ -87,14 +87,14 @@ void XSLImportRule::loadSheet()
|
||
|
|
||
|
String absHref = m_strHref;
|
||
|
XSLStyleSheet* parentSheet = parentStyleSheet();
|
||
|
- if (!parentSheet->href().isNull())
|
||
|
+ if (!parentSheet->putativeBaseURL().isNull())
|
||
|
// use parent styleheet's URL as the base URL
|
||
|
- absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string();
|
||
|
+ absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string();
|
||
|
|
||
|
// Check for a cycle in our import chain. If we encounter a stylesheet
|
||
|
// in our parent chain with the same URL, then just bail.
|
||
|
for (parent = this->parent(); parent; parent = parent->parent()) {
|
||
|
- if (parent->isXSLStyleSheet() && absHref == static_cast<XSLStyleSheet*>(parent)->href())
|
||
|
+ if (parent->isXSLStyleSheet() && absHref == static_cast<XSLStyleSheet*>(parent)->putativeBaseURL().string())
|
||
|
return;
|
||
|
}
|
||
|
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h 2010-05-03 15:55:37.789981560 +0200
|
||
|
@@ -57,7 +57,7 @@ private:
|
||
|
virtual bool isImportRule() { return true; }
|
||
|
|
||
|
// from CachedResourceClient
|
||
|
- virtual void setXSLStyleSheet(const String& url, const String& sheet);
|
||
|
+ virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet);
|
||
|
|
||
|
String m_strHref;
|
||
|
RefPtr<XSLStyleSheet> m_styleSheet;
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h 2010-05-03 15:55:37.827976887 +0200
|
||
|
@@ -43,18 +43,18 @@ class XSLImportRule;
|
||
|
class XSLStyleSheet : public StyleSheet {
|
||
|
public:
|
||
|
#if !USE(QXMLQUERY)
|
||
|
- static PassRefPtr<XSLStyleSheet> create(XSLImportRule* parentImport, const String& href)
|
||
|
+ static PassRefPtr<XSLStyleSheet> create(XSLImportRule* parentImport, const String& href, const KURL& baseURL)
|
||
|
{
|
||
|
- return adoptRef(new XSLStyleSheet(parentImport, href));
|
||
|
+ return adoptRef(new XSLStyleSheet(parentImport, href, baseURL));
|
||
|
}
|
||
|
#endif
|
||
|
- static PassRefPtr<XSLStyleSheet> create(Node* parentNode, const String& href)
|
||
|
+ static PassRefPtr<XSLStyleSheet> create(Node* parentNode, const String& href, const KURL& baseURL)
|
||
|
{
|
||
|
- return adoptRef(new XSLStyleSheet(parentNode, href, false));
|
||
|
+ return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, false));
|
||
|
}
|
||
|
- static PassRefPtr<XSLStyleSheet> createEmbedded(Node* parentNode, const String& href)
|
||
|
+ static PassRefPtr<XSLStyleSheet> createEmbedded(Node* parentNode, const String& href, const KURL& baseURL)
|
||
|
{
|
||
|
- return adoptRef(new XSLStyleSheet(parentNode, href, true));
|
||
|
+ return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, true));
|
||
|
}
|
||
|
|
||
|
virtual ~XSLStyleSheet();
|
||
|
@@ -90,9 +90,9 @@ public:
|
||
|
bool processed() const { return m_processed; }
|
||
|
|
||
|
private:
|
||
|
- XSLStyleSheet(Node* parentNode, const String& href, bool embedded);
|
||
|
+ XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded);
|
||
|
#if !USE(QXMLQUERY)
|
||
|
- XSLStyleSheet(XSLImportRule* parentImport, const String& href);
|
||
|
+ XSLStyleSheet(XSLImportRule* parentImport, const String& href, const KURL& baseURL);
|
||
|
#endif
|
||
|
|
||
|
Document* m_ownerDocument;
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp 2010-05-03 15:55:37.837079694 +0200
|
||
|
@@ -55,8 +55,8 @@ SOFT_LINK(libxslt, xsltLoadStylesheetPI,
|
||
|
|
||
|
namespace WebCore {
|
||
|
|
||
|
-XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href)
|
||
|
- : StyleSheet(parentRule, href)
|
||
|
+XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href, const KURL& baseURL)
|
||
|
+ : StyleSheet(parentRule, href, baseURL)
|
||
|
, m_ownerDocument(0)
|
||
|
, m_embedded(false)
|
||
|
, m_processed(false) // Child sheets get marked as processed when the libxslt engine has finally seen them.
|
||
|
@@ -66,8 +66,8 @@ XSLStyleSheet::XSLStyleSheet(XSLImportRu
|
||
|
{
|
||
|
}
|
||
|
|
||
|
-XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedded)
|
||
|
- : StyleSheet(parentNode, href)
|
||
|
+XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded)
|
||
|
+ : StyleSheet(parentNode, href, baseURL)
|
||
|
, m_ownerDocument(parentNode->document())
|
||
|
, m_embedded(embedded)
|
||
|
, m_processed(true) // The root sheet starts off processed.
|
||
|
@@ -168,7 +168,7 @@ bool XSLStyleSheet::parseString(const St
|
||
|
}
|
||
|
|
||
|
m_stylesheetDoc = xmlCtxtReadMemory(ctxt, buffer, size,
|
||
|
- href().utf8().data(),
|
||
|
+ putativeBaseURL().string().utf8().data(),
|
||
|
BOMHighByte == 0xFF ? "UTF-16LE" : "UTF-16BE",
|
||
|
XML_PARSE_NOENT | XML_PARSE_DTDATTR | XML_PARSE_NOWARNING | XML_PARSE_NOCDATA);
|
||
|
xmlFreeParserCtxt(ctxt);
|
||
|
@@ -192,7 +192,7 @@ void XSLStyleSheet::loadChildSheets()
|
||
|
if (m_embedded) {
|
||
|
// We have to locate (by ID) the appropriate embedded stylesheet element, so that we can walk the
|
||
|
// import/include list.
|
||
|
- xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(href().utf8().data()));
|
||
|
+ xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(putativeBaseURL().string().utf8().data()));
|
||
|
if (!idNode)
|
||
|
return;
|
||
|
stylesheetRoot = idNode->parent;
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp 2010-05-03 15:55:37.837977083 +0200
|
||
|
@@ -33,8 +33,8 @@
|
||
|
|
||
|
namespace WebCore {
|
||
|
|
||
|
-XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedded)
|
||
|
- : StyleSheet(parentNode, href)
|
||
|
+XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded)
|
||
|
+ : StyleSheet(parentNode, href, baseURL)
|
||
|
, m_ownerDocument(parentNode->document())
|
||
|
, m_embedded(embedded)
|
||
|
{
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp 2010-05-03 15:55:37.837977083 +0200
|
||
|
@@ -226,7 +226,8 @@ static xsltStylesheetPtr xsltStylesheetP
|
||
|
{
|
||
|
if (!cachedStylesheet && stylesheetRootNode) {
|
||
|
cachedStylesheet = XSLStyleSheet::create(stylesheetRootNode->parent() ? stylesheetRootNode->parent() : stylesheetRootNode,
|
||
|
- stylesheetRootNode->document()->url().string());
|
||
|
+ stylesheetRootNode->document()->url().string(),
|
||
|
+ stylesheetRootNode->document()->url()); // FIXME: Should we use baseURL here?
|
||
|
cachedStylesheet->parseString(createMarkup(stylesheetRootNode));
|
||
|
}
|
||
|
|
||
|
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp
|
||
|
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||
|
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp 2010-05-03 15:55:37.915979873 +0200
|
||
|
@@ -120,7 +120,9 @@ bool XSLTProcessor::transformToString(No
|
||
|
RefPtr<XSLStyleSheet> stylesheet = m_stylesheet;
|
||
|
if (!stylesheet && m_stylesheetRootNode) {
|
||
|
Node* node = m_stylesheetRootNode.get();
|
||
|
- stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node, node->document()->url().string());
|
||
|
+ stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node,
|
||
|
+ node->document()->url().string(),
|
||
|
+ node->document()->url()); // FIXME: Should we use baseURL here?
|
||
|
stylesheet->parseString(createMarkup(node));
|
||
|
}
|
||
|
|