- bz#589169, fix multiple flaws in webkit CVE-2010-0047, CVE-2010-0648,
CVE-2010-0656
This commit is contained in:
parent
939958921d
commit
56ed00d163
18
qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch
Normal file
18
qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch
Normal file
@ -0,0 +1,18 @@
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp.cve-2010-0047-call-after-free qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp.cve-2010-0047-call-after-free 2010-02-11 16:55:19.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp 2010-05-06 12:21:13.852469331 +0200
|
||||
@@ -1260,9 +1260,11 @@ bool FrameLoader::requestObject(RenderPa
|
||||
|
||||
ASSERT(renderer->node()->hasTagName(objectTag) || renderer->node()->hasTagName(embedTag));
|
||||
HTMLPlugInElement* element = static_cast<HTMLPlugInElement*>(renderer->node());
|
||||
-
|
||||
- // FIXME: OK to always make a new frame? When does the old frame get removed?
|
||||
- return loadSubframe(element, completedURL, frameName, m_outgoingReferrer);
|
||||
+
|
||||
+ // If the plug-in element already contains a subframe, requestFrame will re-use it. Otherwise,
|
||||
+ // it will create a new frame and set it as the RenderPart's widget, causing what was previously
|
||||
+ // in the widget to be torn down.
|
||||
+ return requestFrame(element, completedURL, frameName);
|
||||
}
|
||||
|
||||
bool FrameLoader::shouldUsePlugin(const KURL& url, const String& mimeType, bool hasFallback, bool& useFallback)
|
782
qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch
Normal file
782
qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch
Normal file
@ -0,0 +1,782 @@
|
||||
diff -U0 qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog 2010-05-03 15:55:37.703101680 +0200
|
||||
@@ -0,0 +1,90 @@
|
||||
+2010-01-20 Adam Barth <abarth@webkit.org>
|
||||
+
|
||||
+ Reviewed by Darin Adler.
|
||||
+
|
||||
+ Stylesheet href property shows redirected URL unlike other browsers
|
||||
+ https://bugs.webkit.org/show_bug.cgi?id=33683
|
||||
+
|
||||
+ Teach StyleSheet the difference between original and final URLs in
|
||||
+ redirect chains. Unfortunately, StyleSheet needs to know both of these
|
||||
+ URLs. The original URL is needed for the href property and the final
|
||||
+ URL is needed as the baseURL.
|
||||
+
|
||||
+ This change required touching a lot of lines of code because we need to
|
||||
+ plumb this information to the StyleSheet object. I audited all
|
||||
+ existing clients of href() and setHref() to see whether they wanted the
|
||||
+ original or final URLs. I then updated the clients (except the JS
|
||||
+ bindings themselves) to use the correct accessor.
|
||||
+
|
||||
+ Test: http/tests/security/stylesheet-href-redirect.html
|
||||
+
|
||||
+ * css/CSSImportRule.cpp:
|
||||
+ (WebCore::CSSImportRule::setCSSStyleSheet):
|
||||
+ (WebCore::CSSImportRule::insertedIntoParent):
|
||||
+ * css/CSSImportRule.h:
|
||||
+ * css/CSSStyleSheet.cpp:
|
||||
+ (WebCore::CSSStyleSheet::CSSStyleSheet):
|
||||
+ * css/CSSStyleSheet.h:
|
||||
+ (WebCore::CSSStyleSheet::create):
|
||||
+ (WebCore::CSSStyleSheet::createInline): Added a new constructor to deal
|
||||
+ with "inline" style sheets that don't have a distinct original and
|
||||
+ final URL.
|
||||
+ * css/StyleBase.cpp:
|
||||
+ (WebCore::StyleBase::baseURL): This code wants to use the final URL,
|
||||
+ not the original URL. Updated it to grab the baseURL directly.
|
||||
+ * css/StyleSheet.cpp:
|
||||
+ (WebCore::StyleSheet::StyleSheet):
|
||||
+ * css/StyleSheet.h:
|
||||
+ (WebCore::StyleSheet::href):
|
||||
+ (WebCore::StyleSheet::setBaseURL): This function really just updates
|
||||
+ the base URL of the style sheet, so I made it more explicit.
|
||||
+ (WebCore::StyleSheet::putativeBaseURL): We need an accessor for the
|
||||
+ base URL, but baseURL is already taken.
|
||||
+ * dom/Document.cpp:
|
||||
+ (WebCore::Document::updateBaseURL):
|
||||
+ (WebCore::Document::pageUserSheet):
|
||||
+ (WebCore::Document::pageGroupUserSheets):
|
||||
+ (WebCore::Document::elementSheet):
|
||||
+ (WebCore::Document::mappedElementSheet):
|
||||
+ * dom/ProcessingInstruction.cpp:
|
||||
+ (WebCore::ProcessingInstruction::checkStyleSheet):
|
||||
+ (WebCore::ProcessingInstruction::setCSSStyleSheet):
|
||||
+ (WebCore::ProcessingInstruction::setXSLStyleSheet):
|
||||
+ * dom/ProcessingInstruction.h:
|
||||
+ * dom/StyleElement.cpp:
|
||||
+ (WebCore::StyleElement::createSheet):
|
||||
+ * html/HTMLLinkElement.cpp:
|
||||
+ (WebCore::HTMLLinkElement::setCSSStyleSheet):
|
||||
+ * html/HTMLLinkElement.h:
|
||||
+ * loader/CachedCSSStyleSheet.cpp:
|
||||
+ (WebCore::CachedCSSStyleSheet::didAddClient):
|
||||
+ (WebCore::CachedCSSStyleSheet::checkNotify): This code now passes both
|
||||
+ the original and final URL into setCSSStyleSheet so that the style
|
||||
+ sheet can have both.
|
||||
+ * loader/CachedResourceClient.h:
|
||||
+ (WebCore::CachedResourceClient::setCSSStyleSheet):
|
||||
+ (WebCore::CachedResourceClient::setXSLStyleSheet):
|
||||
+ * loader/CachedXSLStyleSheet.cpp:
|
||||
+ (WebCore::CachedXSLStyleSheet::didAddClient):
|
||||
+ (WebCore::CachedXSLStyleSheet::checkNotify): I don't have any direct
|
||||
+ evidence that we need to change the XSLStyleSheet behavior, which is
|
||||
+ why I wasn't able to add a test for the behavior. However, the objects
|
||||
+ are parallel enough that it seemed like the right thing to do.
|
||||
+ * xml/XSLImportRule.cpp:
|
||||
+ (WebCore::XSLImportRule::setXSLStyleSheet):
|
||||
+ (WebCore::XSLImportRule::loadSheet):
|
||||
+ * xml/XSLImportRule.h:
|
||||
+ * xml/XSLStyleSheet.h:
|
||||
+ (WebCore::XSLStyleSheet::create):
|
||||
+ (WebCore::XSLStyleSheet::createEmbedded):
|
||||
+ * xml/XSLStyleSheetLibxslt.cpp:
|
||||
+ (WebCore::XSLStyleSheet::XSLStyleSheet):
|
||||
+ (WebCore::XSLStyleSheet::parseString):
|
||||
+ (WebCore::XSLStyleSheet::loadChildSheets):
|
||||
+ * xml/XSLStyleSheetQt.cpp:
|
||||
+ (WebCore::XSLStyleSheet::XSLStyleSheet):
|
||||
+ * xml/XSLTProcessorLibxslt.cpp:
|
||||
+ (WebCore::xsltStylesheetPointer):
|
||||
+ * xml/XSLTProcessorQt.cpp:
|
||||
+ (WebCore::XSLTProcessor::transformToString):
|
||||
+
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.652102626 +0200
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp 2010-05-03 16:49:14.631038884 +0200
|
||||
@@ -55,11 +55,11 @@ CSSImportRule::~CSSImportRule()
|
||||
m_cachedSheet->removeClient(this);
|
||||
}
|
||||
|
||||
-void CSSImportRule::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
|
||||
+void CSSImportRule::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
|
||||
{
|
||||
if (m_styleSheet)
|
||||
m_styleSheet->setParent(0);
|
||||
- m_styleSheet = CSSStyleSheet::create(this, url, charset);
|
||||
+ m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset);
|
||||
|
||||
bool crossOriginCSS = false;
|
||||
bool validMIMEType = false;
|
||||
@@ -70,17 +70,17 @@ void CSSImportRule::setCSSStyleSheet(con
|
||||
String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
|
||||
m_styleSheet->parseString(sheetText, strict);
|
||||
|
||||
- if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
|
||||
+ if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(baseURL))
|
||||
crossOriginCSS = true;
|
||||
|
||||
if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader())
|
||||
- m_styleSheet = CSSStyleSheet::create(this, url, charset);
|
||||
+ m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset);
|
||||
|
||||
if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) {
|
||||
// Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
|
||||
DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
|
||||
DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n"));
|
||||
- if (url.endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) {
|
||||
+ if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) {
|
||||
ASSERT(m_styleSheet->length() == 1);
|
||||
ExceptionCode ec;
|
||||
m_styleSheet->deleteRule(0, ec);
|
||||
@@ -109,15 +109,16 @@ void CSSImportRule::insertedIntoParent()
|
||||
return;
|
||||
|
||||
String absHref = m_strHref;
|
||||
- if (!parentSheet->href().isNull())
|
||||
+ if (!parentSheet->putativeBaseURL().isNull())
|
||||
// use parent styleheet's URL as the base URL
|
||||
- absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string();
|
||||
+ absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string();
|
||||
|
||||
// Check for a cycle in our import chain. If we encounter a stylesheet
|
||||
// in our parent chain with the same URL, then just bail.
|
||||
StyleBase* root = this;
|
||||
for (StyleBase* curr = parent(); curr; curr = curr->parent()) {
|
||||
- if (curr->isCSSStyleSheet() && absHref == static_cast<CSSStyleSheet*>(curr)->href())
|
||||
+ // FIXME: This is wrong if the putativeBaseURL was updated via document::updateBaseURL.
|
||||
+ if (curr->isCSSStyleSheet() && absHref == static_cast<CSSStyleSheet*>(curr)->putativeBaseURL().string())
|
||||
return;
|
||||
root = curr;
|
||||
}
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h 2010-05-03 15:55:37.740976769 +0200
|
||||
@@ -63,7 +63,7 @@ private:
|
||||
virtual unsigned short type() const { return IMPORT_RULE; }
|
||||
|
||||
// from CachedResourceClient
|
||||
- virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*);
|
||||
+ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*);
|
||||
|
||||
String m_strHref;
|
||||
RefPtr<MediaList> m_lstMedia;
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.660977242 +0200
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp 2010-05-03 15:55:37.740976769 +0200
|
||||
@@ -33,8 +33,8 @@
|
||||
|
||||
namespace WebCore {
|
||||
|
||||
-CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset)
|
||||
- : StyleSheet(parentSheet, href)
|
||||
+CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset)
|
||||
+ : StyleSheet(parentSheet, href, baseURL)
|
||||
, m_doc(parentSheet ? parentSheet->doc() : 0)
|
||||
, m_namespaces(0)
|
||||
, m_charset(charset)
|
||||
@@ -45,8 +45,8 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe
|
||||
{
|
||||
}
|
||||
|
||||
-CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const String& charset)
|
||||
- : StyleSheet(parentNode, href)
|
||||
+CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, const String& charset)
|
||||
+ : StyleSheet(parentNode, href, baseURL)
|
||||
, m_doc(parentNode->document())
|
||||
, m_namespaces(0)
|
||||
, m_charset(charset)
|
||||
@@ -57,8 +57,8 @@ CSSStyleSheet::CSSStyleSheet(Node* paren
|
||||
{
|
||||
}
|
||||
|
||||
-CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset)
|
||||
- : StyleSheet(ownerRule, href)
|
||||
+CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset)
|
||||
+ : StyleSheet(ownerRule, href, baseURL)
|
||||
, m_namespaces(0)
|
||||
, m_charset(charset)
|
||||
, m_loadCompleted(false)
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.660977242 +0200
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h 2010-05-03 15:55:37.745101706 +0200
|
||||
@@ -38,27 +38,31 @@ class CSSStyleSheet : public StyleSheet
|
||||
public:
|
||||
static PassRefPtr<CSSStyleSheet> create()
|
||||
{
|
||||
- return adoptRef(new CSSStyleSheet(static_cast<CSSStyleSheet*>(0), String(), String()));
|
||||
+ return adoptRef(new CSSStyleSheet(static_cast<CSSStyleSheet*>(0), String(), KURL(), String()));
|
||||
}
|
||||
static PassRefPtr<CSSStyleSheet> create(Node* ownerNode)
|
||||
{
|
||||
- return adoptRef(new CSSStyleSheet(ownerNode, String(), String()));
|
||||
+ return adoptRef(new CSSStyleSheet(ownerNode, String(), KURL(), String()));
|
||||
}
|
||||
- static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href)
|
||||
+ static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const KURL& baseURL)
|
||||
{
|
||||
- return adoptRef(new CSSStyleSheet(ownerNode, href, String()));
|
||||
+ return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, String()));
|
||||
}
|
||||
- static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const String& charset)
|
||||
+ static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset)
|
||||
{
|
||||
- return adoptRef(new CSSStyleSheet(ownerNode, href, charset));
|
||||
+ return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, charset));
|
||||
}
|
||||
- static PassRefPtr<CSSStyleSheet> create(CSSRule* ownerRule, const String& href, const String& charset)
|
||||
+ static PassRefPtr<CSSStyleSheet> create(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset)
|
||||
{
|
||||
- return adoptRef(new CSSStyleSheet(ownerRule, href, charset));
|
||||
+ return adoptRef(new CSSStyleSheet(ownerRule, href, baseURL, charset));
|
||||
+ }
|
||||
+ static PassRefPtr<CSSStyleSheet> createInline(Node* ownerNode, const KURL& baseURL)
|
||||
+ {
|
||||
+ return adoptRef(new CSSStyleSheet(ownerNode, baseURL.string(), baseURL, String()));
|
||||
}
|
||||
|
||||
virtual ~CSSStyleSheet();
|
||||
-
|
||||
+
|
||||
CSSRule* ownerRule() const;
|
||||
PassRefPtr<CSSRuleList> cssRules(bool omitCharsetRules = false);
|
||||
unsigned insertRule(const String& rule, unsigned index, ExceptionCode&);
|
||||
@@ -72,7 +76,7 @@ public:
|
||||
|
||||
void addNamespace(CSSParser*, const AtomicString& prefix, const AtomicString& uri);
|
||||
const AtomicString& determineNamespace(const AtomicString& prefix);
|
||||
-
|
||||
+
|
||||
virtual void styleSheetChanged();
|
||||
|
||||
virtual bool parseString(const String&, bool strict = true);
|
||||
@@ -99,10 +103,10 @@ public:
|
||||
bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; }
|
||||
|
||||
private:
|
||||
- CSSStyleSheet(Node* ownerNode, const String& href, const String& charset);
|
||||
- CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset);
|
||||
- CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset);
|
||||
-
|
||||
+ CSSStyleSheet(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset);
|
||||
+ CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset);
|
||||
+ CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset);
|
||||
+
|
||||
virtual bool isCSSStyleSheet() const { return true; }
|
||||
virtual String type() const { return "text/css"; }
|
||||
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:20.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp 2010-05-03 15:55:37.757976382 +0200
|
||||
@@ -56,9 +56,9 @@ KURL StyleBase::baseURL() const
|
||||
StyleSheet* sheet = const_cast<StyleBase*>(this)->stylesheet();
|
||||
if (!sheet)
|
||||
return KURL();
|
||||
- if (!sheet->href().isNull())
|
||||
- return KURL(ParsedURLString, sheet->href());
|
||||
- if (sheet->parent())
|
||||
+ if (!sheet->putativeBaseURL().isNull())
|
||||
+ return sheet->putativeBaseURL();
|
||||
+ if (sheet->parent())
|
||||
return sheet->parent()->baseURL();
|
||||
if (!sheet->ownerNode())
|
||||
return KURL();
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp 2010-05-03 15:55:37.758976847 +0200
|
||||
@@ -26,27 +26,30 @@
|
||||
|
||||
namespace WebCore {
|
||||
|
||||
-StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href)
|
||||
+StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL)
|
||||
: StyleList(parentSheet)
|
||||
, m_parentNode(0)
|
||||
- , m_strHref(href)
|
||||
+ , m_href(href)
|
||||
+ , m_baseURL(baseURL)
|
||||
, m_disabled(false)
|
||||
{
|
||||
}
|
||||
|
||||
|
||||
-StyleSheet::StyleSheet(Node* parentNode, const String& href)
|
||||
+StyleSheet::StyleSheet(Node* parentNode, const String& href, const KURL& baseURL)
|
||||
: StyleList(0)
|
||||
, m_parentNode(parentNode)
|
||||
- , m_strHref(href)
|
||||
+ , m_href(href)
|
||||
+ , m_baseURL(baseURL)
|
||||
, m_disabled(false)
|
||||
{
|
||||
}
|
||||
|
||||
-StyleSheet::StyleSheet(StyleBase* owner, const String& href)
|
||||
+StyleSheet::StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL)
|
||||
: StyleList(owner)
|
||||
, m_parentNode(0)
|
||||
- , m_strHref(href)
|
||||
+ , m_href(href)
|
||||
+ , m_baseURL(baseURL)
|
||||
, m_disabled(false)
|
||||
{
|
||||
}
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h 2010-05-03 15:55:37.758976847 +0200
|
||||
@@ -41,8 +41,18 @@ public:
|
||||
|
||||
Node* ownerNode() const { return m_parentNode; }
|
||||
StyleSheet *parentStyleSheet() const;
|
||||
- const String& href() const { return m_strHref; }
|
||||
- void setHref(const String& href) { m_strHref = href; }
|
||||
+
|
||||
+ // Note that href is the URL that started the redirect chain that led to
|
||||
+ // this style sheet. This property probably isn't useful for much except
|
||||
+ // the JavaScript binding (which needs to use this value for security).
|
||||
+ const String& href() const { return m_href; }
|
||||
+
|
||||
+ void setBaseURL(const KURL& baseURL) { m_baseURL = baseURL; }
|
||||
+
|
||||
+ // Notice that this object inherits a baseURL function from StyleBase that
|
||||
+ // crawls the parent() relation looking for a non-0 putativeBaseURL.
|
||||
+ const KURL& putativeBaseURL() const { return m_baseURL; }
|
||||
+
|
||||
const String& title() const { return m_strTitle; }
|
||||
void setTitle(const String& s) { m_strTitle = s; }
|
||||
MediaList* media() const { return m_media.get(); }
|
||||
@@ -58,15 +68,16 @@ public:
|
||||
virtual bool parseString(const String&, bool strict = true) = 0;
|
||||
|
||||
protected:
|
||||
- StyleSheet(Node* ownerNode, const String& href);
|
||||
- StyleSheet(StyleSheet* parentSheet, const String& href);
|
||||
- StyleSheet(StyleBase* owner, const String& href);
|
||||
+ StyleSheet(Node* ownerNode, const String& href, const KURL& baseURL);
|
||||
+ StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL);
|
||||
+ StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL);
|
||||
|
||||
private:
|
||||
virtual bool isStyleSheet() const { return true; }
|
||||
|
||||
Node* m_parentNode;
|
||||
- String m_strHref;
|
||||
+ String m_href;
|
||||
+ KURL m_baseURL;
|
||||
String m_strTitle;
|
||||
RefPtr<MediaList> m_media;
|
||||
bool m_disabled;
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp 2010-05-03 15:55:37.760977901 +0200
|
||||
@@ -1920,9 +1920,9 @@ void Document::updateBaseURL()
|
||||
m_baseURL = KURL();
|
||||
|
||||
if (m_elemSheet)
|
||||
- m_elemSheet->setHref(m_baseURL.string());
|
||||
+ m_elemSheet->setBaseURL(m_baseURL);
|
||||
if (m_mappedElementSheet)
|
||||
- m_mappedElementSheet->setHref(m_baseURL.string());
|
||||
+ m_mappedElementSheet->setBaseURL(m_baseURL);
|
||||
}
|
||||
|
||||
String Document::userAgent(const KURL& url) const
|
||||
@@ -1944,7 +1944,7 @@ CSSStyleSheet* Document::pageUserSheet()
|
||||
return 0;
|
||||
|
||||
// Parse the sheet and cache it.
|
||||
- m_pageUserSheet = CSSStyleSheet::create(this, settings()->userStyleSheetLocation());
|
||||
+ m_pageUserSheet = CSSStyleSheet::createInline(this, settings()->userStyleSheetLocation());
|
||||
m_pageUserSheet->setIsUserStyleSheet(true);
|
||||
m_pageUserSheet->parseString(userSheetText, !inCompatMode());
|
||||
return m_pageUserSheet.get();
|
||||
@@ -1979,7 +1979,7 @@ const Vector<RefPtr<CSSStyleSheet> >* Do
|
||||
const UserStyleSheet* sheet = sheets->at(i).get();
|
||||
if (!UserContentURLPattern::matchesPatterns(url(), sheet->whitelist(), sheet->blacklist()))
|
||||
continue;
|
||||
- RefPtr<CSSStyleSheet> parsedSheet = CSSStyleSheet::create(const_cast<Document*>(this), sheet->url());
|
||||
+ RefPtr<CSSStyleSheet> parsedSheet = CSSStyleSheet::createInline(const_cast<Document*>(this), sheet->url());
|
||||
parsedSheet->setIsUserStyleSheet(true);
|
||||
parsedSheet->parseString(sheet->source(), !inCompatMode());
|
||||
if (!m_pageGroupUserSheets)
|
||||
@@ -2001,14 +2001,14 @@ void Document::clearPageGroupUserSheets(
|
||||
CSSStyleSheet* Document::elementSheet()
|
||||
{
|
||||
if (!m_elemSheet)
|
||||
- m_elemSheet = CSSStyleSheet::create(this, m_baseURL.string());
|
||||
+ m_elemSheet = CSSStyleSheet::createInline(this, m_baseURL);
|
||||
return m_elemSheet.get();
|
||||
}
|
||||
|
||||
CSSStyleSheet* Document::mappedElementSheet()
|
||||
{
|
||||
if (!m_mappedElementSheet)
|
||||
- m_mappedElementSheet = CSSStyleSheet::create(this, m_baseURL.string());
|
||||
+ m_mappedElementSheet = CSSStyleSheet::createInline(this, m_baseURL);
|
||||
return m_mappedElementSheet.get();
|
||||
}
|
||||
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp 2010-05-03 15:55:37.761977599 +0200
|
||||
@@ -138,7 +138,8 @@ void ProcessingInstruction::checkStyleSh
|
||||
// We need to make a synthetic XSLStyleSheet that is embedded. It needs to be able
|
||||
// to kick off import/include loads that can hang off some parent sheet.
|
||||
if (m_isXSL) {
|
||||
- m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref);
|
||||
+ KURL baseURL = KURL(ParsedURLString, m_localHref);
|
||||
+ m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref, baseURL);
|
||||
m_loading = false;
|
||||
}
|
||||
#endif
|
||||
@@ -196,12 +197,12 @@ bool ProcessingInstruction::sheetLoaded(
|
||||
return false;
|
||||
}
|
||||
|
||||
-void ProcessingInstruction::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
|
||||
+void ProcessingInstruction::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
|
||||
{
|
||||
#if ENABLE(XSLT)
|
||||
ASSERT(!m_isXSL);
|
||||
#endif
|
||||
- RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, url, charset);
|
||||
+ RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, href, baseURL, charset);
|
||||
m_sheet = newSheet;
|
||||
// We don't need the cross-origin security check here because we are
|
||||
// getting the sheet text in "strict" mode. This enforces a valid CSS MIME
|
||||
@@ -213,10 +214,10 @@ void ProcessingInstruction::setCSSStyleS
|
||||
}
|
||||
|
||||
#if ENABLE(XSLT)
|
||||
-void ProcessingInstruction::setXSLStyleSheet(const String& url, const String& sheet)
|
||||
+void ProcessingInstruction::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet)
|
||||
{
|
||||
ASSERT(m_isXSL);
|
||||
- m_sheet = XSLStyleSheet::create(this, url);
|
||||
+ m_sheet = XSLStyleSheet::create(this, href, baseURL);
|
||||
parseStyleSheet(sheet);
|
||||
}
|
||||
#endif
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h 2010-05-03 15:55:37.761977599 +0200
|
||||
@@ -68,9 +68,9 @@ private:
|
||||
virtual void removedFromDocument();
|
||||
|
||||
void checkStyleSheet();
|
||||
- virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*);
|
||||
+ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*);
|
||||
#if ENABLE(XSLT)
|
||||
- virtual void setXSLStyleSheet(const String& url, const String& sheet);
|
||||
+ virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet);
|
||||
#endif
|
||||
|
||||
bool isLoading() const;
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp 2010-05-03 15:55:37.762976937 +0200
|
||||
@@ -103,7 +103,7 @@ void StyleElement::createSheet(Element*
|
||||
if (screenEval.eval(mediaList.get()) || printEval.eval(mediaList.get())) {
|
||||
document->addPendingSheet();
|
||||
setLoading(true);
|
||||
- m_sheet = CSSStyleSheet::create(e, String(), document->inputEncoding());
|
||||
+ m_sheet = CSSStyleSheet::create(e, String(), KURL(), document->inputEncoding());
|
||||
m_sheet->parseString(text, !document->inCompatMode());
|
||||
m_sheet->setMedia(mediaList.get());
|
||||
m_sheet->setTitle(e->title());
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp 2010-05-03 17:02:45.528101154 +0200
|
||||
@@ -253,9 +253,9 @@ void HTMLLinkElement::finishParsingChild
|
||||
HTMLElement::finishParsingChildren();
|
||||
}
|
||||
|
||||
-void HTMLLinkElement::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
|
||||
+void HTMLLinkElement::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
|
||||
{
|
||||
- m_sheet = CSSStyleSheet::create(this, url, charset);
|
||||
+ m_sheet = CSSStyleSheet::create(this, href, baseURL, charset);
|
||||
|
||||
bool strictParsing = !document()->inCompatMode();
|
||||
bool enforceMIMEType = strictParsing;
|
||||
@@ -275,11 +275,11 @@ void HTMLLinkElement::setCSSStyleSheet(c
|
||||
// valid CSS rule.
|
||||
// This prevents an attacker playing games by injecting CSS strings into
|
||||
// HTML, XML, JSON, etc. etc.
|
||||
- if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
|
||||
+ if (!document()->securityOrigin()->canRequest(baseURL))
|
||||
crossOriginCSS = true;
|
||||
|
||||
if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader())
|
||||
- m_sheet = CSSStyleSheet::create(this, url, charset);
|
||||
+ m_sheet = CSSStyleSheet::create(this, href, baseURL, charset);
|
||||
|
||||
if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) {
|
||||
// Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
|
||||
@@ -287,7 +287,7 @@ void HTMLLinkElement::setCSSStyleSheet(c
|
||||
DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n"));
|
||||
// There are two variants of KHTMLFixes.css. One is equal to mediaWikiKHTMLFixesStyleSheet,
|
||||
// while the other lacks the second trailing newline.
|
||||
- if (url.endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText)
|
||||
+ if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText)
|
||||
&& sheetText.length() >= mediaWikiKHTMLFixesStyleSheet.length() - 1) {
|
||||
ASSERT(m_sheet->length() == 1);
|
||||
ExceptionCode ec;
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h 2010-05-03 15:55:37.773083096 +0200
|
||||
@@ -79,7 +79,7 @@ public:
|
||||
virtual void removedFromDocument();
|
||||
|
||||
// from CachedResourceClient
|
||||
- virtual void setCSSStyleSheet(const String &url, const String& charset, const CachedCSSStyleSheet* sheet);
|
||||
+ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet);
|
||||
bool isLoading() const;
|
||||
virtual bool sheetLoaded();
|
||||
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp 2010-05-03 15:55:37.774976529 +0200
|
||||
@@ -52,9 +52,9 @@ CachedCSSStyleSheet::~CachedCSSStyleShee
|
||||
void CachedCSSStyleSheet::didAddClient(CachedResourceClient *c)
|
||||
{
|
||||
if (!m_loading)
|
||||
- c->setCSSStyleSheet(m_url, m_decoder->encoding().name(), this);
|
||||
+ c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this);
|
||||
}
|
||||
-
|
||||
+
|
||||
void CachedCSSStyleSheet::allClientsRemoved()
|
||||
{
|
||||
if (isSafeToMakePurgeable())
|
||||
@@ -112,7 +112,7 @@ void CachedCSSStyleSheet::checkNotify()
|
||||
|
||||
CachedResourceClientWalker w(m_clients);
|
||||
while (CachedResourceClient *c = w.next())
|
||||
- c->setCSSStyleSheet(m_response.url().string(), m_decoder->encoding().name(), this);
|
||||
+ c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this);
|
||||
}
|
||||
|
||||
void CachedCSSStyleSheet::error()
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h 2010-05-03 15:55:37.775976911 +0200
|
||||
@@ -42,6 +42,7 @@ namespace WebCore {
|
||||
class String;
|
||||
class Image;
|
||||
class IntRect;
|
||||
+ class KURL;
|
||||
|
||||
/**
|
||||
* @internal
|
||||
@@ -65,8 +66,8 @@ namespace WebCore {
|
||||
// e.g., in the b/f cache or in a background tab).
|
||||
virtual bool willRenderImage(CachedImage*) { return false; }
|
||||
|
||||
- virtual void setCSSStyleSheet(const String& /*URL*/, const String& /*charset*/, const CachedCSSStyleSheet*) { }
|
||||
- virtual void setXSLStyleSheet(const String& /*URL*/, const String& /*sheet*/) { }
|
||||
+ virtual void setCSSStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* charset */, const CachedCSSStyleSheet*) { }
|
||||
+ virtual void setXSLStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* sheet */) { }
|
||||
|
||||
virtual void fontLoaded(CachedFont*) {};
|
||||
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp 2010-05-03 15:55:37.789038977 +0200
|
||||
@@ -48,7 +48,7 @@ CachedXSLStyleSheet::CachedXSLStyleSheet
|
||||
void CachedXSLStyleSheet::didAddClient(CachedResourceClient* c)
|
||||
{
|
||||
if (!m_loading)
|
||||
- c->setXSLStyleSheet(m_url, m_sheet);
|
||||
+ c->setXSLStyleSheet(m_url, m_response.url(), m_sheet);
|
||||
}
|
||||
|
||||
void CachedXSLStyleSheet::setEncoding(const String& chs)
|
||||
@@ -83,10 +83,9 @@ void CachedXSLStyleSheet::checkNotify()
|
||||
|
||||
CachedResourceClientWalker w(m_clients);
|
||||
while (CachedResourceClient *c = w.next())
|
||||
- c->setXSLStyleSheet(m_url, m_sheet);
|
||||
+ c->setXSLStyleSheet(m_url, m_response.url(), m_sheet);
|
||||
}
|
||||
|
||||
-
|
||||
void CachedXSLStyleSheet::error()
|
||||
{
|
||||
m_loading = false;
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp 2010-05-03 15:55:37.789038977 +0200
|
||||
@@ -52,13 +52,13 @@ XSLStyleSheet* XSLImportRule::parentStyl
|
||||
return (parent() && parent()->isXSLStyleSheet()) ? static_cast<XSLStyleSheet*>(parent()) : 0;
|
||||
}
|
||||
|
||||
-void XSLImportRule::setXSLStyleSheet(const String& url, const String& sheet)
|
||||
+void XSLImportRule::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet)
|
||||
{
|
||||
if (m_styleSheet)
|
||||
m_styleSheet->setParent(0);
|
||||
-
|
||||
- m_styleSheet = XSLStyleSheet::create(this, url);
|
||||
-
|
||||
+
|
||||
+ m_styleSheet = XSLStyleSheet::create(this, href, baseURL);
|
||||
+
|
||||
XSLStyleSheet* parent = parentStyleSheet();
|
||||
if (parent)
|
||||
m_styleSheet->setParentStyleSheet(parent);
|
||||
@@ -87,14 +87,14 @@ void XSLImportRule::loadSheet()
|
||||
|
||||
String absHref = m_strHref;
|
||||
XSLStyleSheet* parentSheet = parentStyleSheet();
|
||||
- if (!parentSheet->href().isNull())
|
||||
+ if (!parentSheet->putativeBaseURL().isNull())
|
||||
// use parent styleheet's URL as the base URL
|
||||
- absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string();
|
||||
+ absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string();
|
||||
|
||||
// Check for a cycle in our import chain. If we encounter a stylesheet
|
||||
// in our parent chain with the same URL, then just bail.
|
||||
for (parent = this->parent(); parent; parent = parent->parent()) {
|
||||
- if (parent->isXSLStyleSheet() && absHref == static_cast<XSLStyleSheet*>(parent)->href())
|
||||
+ if (parent->isXSLStyleSheet() && absHref == static_cast<XSLStyleSheet*>(parent)->putativeBaseURL().string())
|
||||
return;
|
||||
}
|
||||
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h 2010-05-03 15:55:37.789981560 +0200
|
||||
@@ -57,7 +57,7 @@ private:
|
||||
virtual bool isImportRule() { return true; }
|
||||
|
||||
// from CachedResourceClient
|
||||
- virtual void setXSLStyleSheet(const String& url, const String& sheet);
|
||||
+ virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet);
|
||||
|
||||
String m_strHref;
|
||||
RefPtr<XSLStyleSheet> m_styleSheet;
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h 2010-05-03 15:55:37.827976887 +0200
|
||||
@@ -43,18 +43,18 @@ class XSLImportRule;
|
||||
class XSLStyleSheet : public StyleSheet {
|
||||
public:
|
||||
#if !USE(QXMLQUERY)
|
||||
- static PassRefPtr<XSLStyleSheet> create(XSLImportRule* parentImport, const String& href)
|
||||
+ static PassRefPtr<XSLStyleSheet> create(XSLImportRule* parentImport, const String& href, const KURL& baseURL)
|
||||
{
|
||||
- return adoptRef(new XSLStyleSheet(parentImport, href));
|
||||
+ return adoptRef(new XSLStyleSheet(parentImport, href, baseURL));
|
||||
}
|
||||
#endif
|
||||
- static PassRefPtr<XSLStyleSheet> create(Node* parentNode, const String& href)
|
||||
+ static PassRefPtr<XSLStyleSheet> create(Node* parentNode, const String& href, const KURL& baseURL)
|
||||
{
|
||||
- return adoptRef(new XSLStyleSheet(parentNode, href, false));
|
||||
+ return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, false));
|
||||
}
|
||||
- static PassRefPtr<XSLStyleSheet> createEmbedded(Node* parentNode, const String& href)
|
||||
+ static PassRefPtr<XSLStyleSheet> createEmbedded(Node* parentNode, const String& href, const KURL& baseURL)
|
||||
{
|
||||
- return adoptRef(new XSLStyleSheet(parentNode, href, true));
|
||||
+ return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, true));
|
||||
}
|
||||
|
||||
virtual ~XSLStyleSheet();
|
||||
@@ -90,9 +90,9 @@ public:
|
||||
bool processed() const { return m_processed; }
|
||||
|
||||
private:
|
||||
- XSLStyleSheet(Node* parentNode, const String& href, bool embedded);
|
||||
+ XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded);
|
||||
#if !USE(QXMLQUERY)
|
||||
- XSLStyleSheet(XSLImportRule* parentImport, const String& href);
|
||||
+ XSLStyleSheet(XSLImportRule* parentImport, const String& href, const KURL& baseURL);
|
||||
#endif
|
||||
|
||||
Document* m_ownerDocument;
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp 2010-05-03 15:55:37.837079694 +0200
|
||||
@@ -55,8 +55,8 @@ SOFT_LINK(libxslt, xsltLoadStylesheetPI,
|
||||
|
||||
namespace WebCore {
|
||||
|
||||
-XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href)
|
||||
- : StyleSheet(parentRule, href)
|
||||
+XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href, const KURL& baseURL)
|
||||
+ : StyleSheet(parentRule, href, baseURL)
|
||||
, m_ownerDocument(0)
|
||||
, m_embedded(false)
|
||||
, m_processed(false) // Child sheets get marked as processed when the libxslt engine has finally seen them.
|
||||
@@ -66,8 +66,8 @@ XSLStyleSheet::XSLStyleSheet(XSLImportRu
|
||||
{
|
||||
}
|
||||
|
||||
-XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedded)
|
||||
- : StyleSheet(parentNode, href)
|
||||
+XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded)
|
||||
+ : StyleSheet(parentNode, href, baseURL)
|
||||
, m_ownerDocument(parentNode->document())
|
||||
, m_embedded(embedded)
|
||||
, m_processed(true) // The root sheet starts off processed.
|
||||
@@ -168,7 +168,7 @@ bool XSLStyleSheet::parseString(const St
|
||||
}
|
||||
|
||||
m_stylesheetDoc = xmlCtxtReadMemory(ctxt, buffer, size,
|
||||
- href().utf8().data(),
|
||||
+ putativeBaseURL().string().utf8().data(),
|
||||
BOMHighByte == 0xFF ? "UTF-16LE" : "UTF-16BE",
|
||||
XML_PARSE_NOENT | XML_PARSE_DTDATTR | XML_PARSE_NOWARNING | XML_PARSE_NOCDATA);
|
||||
xmlFreeParserCtxt(ctxt);
|
||||
@@ -192,7 +192,7 @@ void XSLStyleSheet::loadChildSheets()
|
||||
if (m_embedded) {
|
||||
// We have to locate (by ID) the appropriate embedded stylesheet element, so that we can walk the
|
||||
// import/include list.
|
||||
- xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(href().utf8().data()));
|
||||
+ xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(putativeBaseURL().string().utf8().data()));
|
||||
if (!idNode)
|
||||
return;
|
||||
stylesheetRoot = idNode->parent;
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp 2010-05-03 15:55:37.837977083 +0200
|
||||
@@ -33,8 +33,8 @@
|
||||
|
||||
namespace WebCore {
|
||||
|
||||
-XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedded)
|
||||
- : StyleSheet(parentNode, href)
|
||||
+XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded)
|
||||
+ : StyleSheet(parentNode, href, baseURL)
|
||||
, m_ownerDocument(parentNode->document())
|
||||
, m_embedded(embedded)
|
||||
{
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp 2010-05-03 15:55:37.837977083 +0200
|
||||
@@ -226,7 +226,8 @@ static xsltStylesheetPtr xsltStylesheetP
|
||||
{
|
||||
if (!cachedStylesheet && stylesheetRootNode) {
|
||||
cachedStylesheet = XSLStyleSheet::create(stylesheetRootNode->parent() ? stylesheetRootNode->parent() : stylesheetRootNode,
|
||||
- stylesheetRootNode->document()->url().string());
|
||||
+ stylesheetRootNode->document()->url().string(),
|
||||
+ stylesheetRootNode->document()->url()); // FIXME: Should we use baseURL here?
|
||||
cachedStylesheet->parseString(createMarkup(stylesheetRootNode));
|
||||
}
|
||||
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp 2010-05-03 15:55:37.915979873 +0200
|
||||
@@ -120,7 +120,9 @@ bool XSLTProcessor::transformToString(No
|
||||
RefPtr<XSLStyleSheet> stylesheet = m_stylesheet;
|
||||
if (!stylesheet && m_stylesheetRootNode) {
|
||||
Node* node = m_stylesheetRootNode.get();
|
||||
- stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node, node->document()->url().string());
|
||||
+ stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node,
|
||||
+ node->document()->url().string(),
|
||||
+ node->document()->url()); // FIXME: Should we use baseURL here?
|
||||
stylesheet->parseString(createMarkup(node));
|
||||
}
|
||||
|
25
qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch
Normal file
25
qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch
Normal file
@ -0,0 +1,25 @@
|
||||
diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp.me qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp
|
||||
--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp.me 2010-05-06 11:29:24.000000000 +0200
|
||||
+++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp 2010-05-06 11:43:29.000000000 +0200
|
||||
@@ -112,7 +112,11 @@ SecurityOrigin::SecurityOrigin(const KUR
|
||||
|
||||
// By default, only local SecurityOrigins can load local resources.
|
||||
m_canLoadLocalResources = isLocal();
|
||||
-
|
||||
+ if (m_canLoadLocalResources) {
|
||||
+ // Directories should never be readable.
|
||||
+ if (!url.hasPath() || url.path().endsWith("/"))
|
||||
+ m_noAccess = true;
|
||||
+ }
|
||||
if (isDefaultPortForProtocol(m_port, m_protocol))
|
||||
m_port = 0;
|
||||
}
|
||||
@@ -207,6 +211,8 @@ bool SecurityOrigin::canRequest(const KU
|
||||
return false;
|
||||
|
||||
RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
|
||||
+ if (targetOrigin->m_noAccess)
|
||||
+ return false;
|
||||
|
||||
// We call isSameSchemeHostPort here instead of canAccess because we want
|
||||
// to ignore document.domain effects.
|
12
qt.spec
12
qt.spec
@ -13,7 +13,7 @@ Summary: Qt toolkit
|
||||
Name: qt
|
||||
Epoch: 1
|
||||
Version: 4.6.2
|
||||
Release: 16%{?dist}
|
||||
Release: 17%{?dist}
|
||||
|
||||
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
|
||||
License: LGPLv2 with exceptions or GPLv3 with exceptions
|
||||
@ -70,6 +70,9 @@ Patch102: qt-x11-opensource-src-4.5.3-cve-2010-0050-crash-misnested-style-tags.p
|
||||
Patch103: qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch
|
||||
Patch104: qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch
|
||||
Patch105: qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch
|
||||
Patch106: qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch
|
||||
Patch107: qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch
|
||||
Patch108: qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch
|
||||
|
||||
# kde-qt git patches
|
||||
Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch
|
||||
@ -433,6 +436,9 @@ Qt libraries used for drawing widgets and OpenGL items.
|
||||
%patch103 -p1 -b .cve-2010-0052-destroyed-input-cached
|
||||
%patch104 -p1 -b .cve-2010-0051-lax-css-parsing-cross-domain-theft
|
||||
%patch105 -p1 -b .cve-2010-0054-image-element-pointer-name-getter
|
||||
%patch106 -p1 -b .cve-2010-0656
|
||||
%patch107 -p1 -b .cve-2010-0047
|
||||
%patch108 -p1 -b .cve-2010-0648
|
||||
|
||||
# kde-qt branch
|
||||
%patch201 -p1 -b .kde-qt-0001
|
||||
@ -1042,6 +1048,10 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu May 06 2010 Than Ngo <than@redhat.com> - 4.6.2-17
|
||||
- bz#589169, fix multiple flaws in webkit
|
||||
CVE-2010-0047, CVE-2010-0648, CVE-2010-0656
|
||||
|
||||
* Thu Apr 29 2010 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.6.2-16
|
||||
- restore qt-everywhere-opensource-src-4.6.2-cups.patch (#586725)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user