diff --git a/qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch b/qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch new file mode 100644 index 0000000..e39290c --- /dev/null +++ b/qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch @@ -0,0 +1,18 @@ +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp.cve-2010-0047-call-after-free qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp.cve-2010-0047-call-after-free 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp 2010-05-06 12:21:13.852469331 +0200 +@@ -1260,9 +1260,11 @@ bool FrameLoader::requestObject(RenderPa + + ASSERT(renderer->node()->hasTagName(objectTag) || renderer->node()->hasTagName(embedTag)); + HTMLPlugInElement* element = static_cast(renderer->node()); +- +- // FIXME: OK to always make a new frame? When does the old frame get removed? +- return loadSubframe(element, completedURL, frameName, m_outgoingReferrer); ++ ++ // If the plug-in element already contains a subframe, requestFrame will re-use it. Otherwise, ++ // it will create a new frame and set it as the RenderPart's widget, causing what was previously ++ // in the widget to be torn down. ++ return requestFrame(element, completedURL, frameName); + } + + bool FrameLoader::shouldUsePlugin(const KURL& url, const String& mimeType, bool hasFallback, bool& useFallback) diff --git a/qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch b/qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch new file mode 100644 index 0000000..495759d --- /dev/null +++ b/qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch @@ -0,0 +1,782 @@ +diff -U0 qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog 2010-05-03 15:55:37.703101680 +0200 +@@ -0,0 +1,90 @@ ++2010-01-20 Adam Barth ++ ++ Reviewed by Darin Adler. ++ ++ Stylesheet href property shows redirected URL unlike other browsers ++ https://bugs.webkit.org/show_bug.cgi?id=33683 ++ ++ Teach StyleSheet the difference between original and final URLs in ++ redirect chains. Unfortunately, StyleSheet needs to know both of these ++ URLs. The original URL is needed for the href property and the final ++ URL is needed as the baseURL. ++ ++ This change required touching a lot of lines of code because we need to ++ plumb this information to the StyleSheet object. I audited all ++ existing clients of href() and setHref() to see whether they wanted the ++ original or final URLs. I then updated the clients (except the JS ++ bindings themselves) to use the correct accessor. ++ ++ Test: http/tests/security/stylesheet-href-redirect.html ++ ++ * css/CSSImportRule.cpp: ++ (WebCore::CSSImportRule::setCSSStyleSheet): ++ (WebCore::CSSImportRule::insertedIntoParent): ++ * css/CSSImportRule.h: ++ * css/CSSStyleSheet.cpp: ++ (WebCore::CSSStyleSheet::CSSStyleSheet): ++ * css/CSSStyleSheet.h: ++ (WebCore::CSSStyleSheet::create): ++ (WebCore::CSSStyleSheet::createInline): Added a new constructor to deal ++ with "inline" style sheets that don't have a distinct original and ++ final URL. ++ * css/StyleBase.cpp: ++ (WebCore::StyleBase::baseURL): This code wants to use the final URL, ++ not the original URL. Updated it to grab the baseURL directly. ++ * css/StyleSheet.cpp: ++ (WebCore::StyleSheet::StyleSheet): ++ * css/StyleSheet.h: ++ (WebCore::StyleSheet::href): ++ (WebCore::StyleSheet::setBaseURL): This function really just updates ++ the base URL of the style sheet, so I made it more explicit. ++ (WebCore::StyleSheet::putativeBaseURL): We need an accessor for the ++ base URL, but baseURL is already taken. ++ * dom/Document.cpp: ++ (WebCore::Document::updateBaseURL): ++ (WebCore::Document::pageUserSheet): ++ (WebCore::Document::pageGroupUserSheets): ++ (WebCore::Document::elementSheet): ++ (WebCore::Document::mappedElementSheet): ++ * dom/ProcessingInstruction.cpp: ++ (WebCore::ProcessingInstruction::checkStyleSheet): ++ (WebCore::ProcessingInstruction::setCSSStyleSheet): ++ (WebCore::ProcessingInstruction::setXSLStyleSheet): ++ * dom/ProcessingInstruction.h: ++ * dom/StyleElement.cpp: ++ (WebCore::StyleElement::createSheet): ++ * html/HTMLLinkElement.cpp: ++ (WebCore::HTMLLinkElement::setCSSStyleSheet): ++ * html/HTMLLinkElement.h: ++ * loader/CachedCSSStyleSheet.cpp: ++ (WebCore::CachedCSSStyleSheet::didAddClient): ++ (WebCore::CachedCSSStyleSheet::checkNotify): This code now passes both ++ the original and final URL into setCSSStyleSheet so that the style ++ sheet can have both. ++ * loader/CachedResourceClient.h: ++ (WebCore::CachedResourceClient::setCSSStyleSheet): ++ (WebCore::CachedResourceClient::setXSLStyleSheet): ++ * loader/CachedXSLStyleSheet.cpp: ++ (WebCore::CachedXSLStyleSheet::didAddClient): ++ (WebCore::CachedXSLStyleSheet::checkNotify): I don't have any direct ++ evidence that we need to change the XSLStyleSheet behavior, which is ++ why I wasn't able to add a test for the behavior. However, the objects ++ are parallel enough that it seemed like the right thing to do. ++ * xml/XSLImportRule.cpp: ++ (WebCore::XSLImportRule::setXSLStyleSheet): ++ (WebCore::XSLImportRule::loadSheet): ++ * xml/XSLImportRule.h: ++ * xml/XSLStyleSheet.h: ++ (WebCore::XSLStyleSheet::create): ++ (WebCore::XSLStyleSheet::createEmbedded): ++ * xml/XSLStyleSheetLibxslt.cpp: ++ (WebCore::XSLStyleSheet::XSLStyleSheet): ++ (WebCore::XSLStyleSheet::parseString): ++ (WebCore::XSLStyleSheet::loadChildSheets): ++ * xml/XSLStyleSheetQt.cpp: ++ (WebCore::XSLStyleSheet::XSLStyleSheet): ++ * xml/XSLTProcessorLibxslt.cpp: ++ (WebCore::xsltStylesheetPointer): ++ * xml/XSLTProcessorQt.cpp: ++ (WebCore::XSLTProcessor::transformToString): ++ +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.652102626 +0200 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp 2010-05-03 16:49:14.631038884 +0200 +@@ -55,11 +55,11 @@ CSSImportRule::~CSSImportRule() + m_cachedSheet->removeClient(this); + } + +-void CSSImportRule::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet) ++void CSSImportRule::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet) + { + if (m_styleSheet) + m_styleSheet->setParent(0); +- m_styleSheet = CSSStyleSheet::create(this, url, charset); ++ m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset); + + bool crossOriginCSS = false; + bool validMIMEType = false; +@@ -70,17 +70,17 @@ void CSSImportRule::setCSSStyleSheet(con + String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType); + m_styleSheet->parseString(sheetText, strict); + +- if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url))) ++ if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(baseURL)) + crossOriginCSS = true; + + if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader()) +- m_styleSheet = CSSStyleSheet::create(this, url, charset); ++ m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset); + + if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) { + // Work around . + DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css")); + DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n")); +- if (url.endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) { ++ if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) { + ASSERT(m_styleSheet->length() == 1); + ExceptionCode ec; + m_styleSheet->deleteRule(0, ec); +@@ -109,15 +109,16 @@ void CSSImportRule::insertedIntoParent() + return; + + String absHref = m_strHref; +- if (!parentSheet->href().isNull()) ++ if (!parentSheet->putativeBaseURL().isNull()) + // use parent styleheet's URL as the base URL +- absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string(); ++ absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string(); + + // Check for a cycle in our import chain. If we encounter a stylesheet + // in our parent chain with the same URL, then just bail. + StyleBase* root = this; + for (StyleBase* curr = parent(); curr; curr = curr->parent()) { +- if (curr->isCSSStyleSheet() && absHref == static_cast(curr)->href()) ++ // FIXME: This is wrong if the putativeBaseURL was updated via document::updateBaseURL. ++ if (curr->isCSSStyleSheet() && absHref == static_cast(curr)->putativeBaseURL().string()) + return; + root = curr; + } +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h 2010-05-03 15:55:37.740976769 +0200 +@@ -63,7 +63,7 @@ private: + virtual unsigned short type() const { return IMPORT_RULE; } + + // from CachedResourceClient +- virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*); ++ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*); + + String m_strHref; + RefPtr m_lstMedia; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.660977242 +0200 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp 2010-05-03 15:55:37.740976769 +0200 +@@ -33,8 +33,8 @@ + + namespace WebCore { + +-CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset) +- : StyleSheet(parentSheet, href) ++CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset) ++ : StyleSheet(parentSheet, href, baseURL) + , m_doc(parentSheet ? parentSheet->doc() : 0) + , m_namespaces(0) + , m_charset(charset) +@@ -45,8 +45,8 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe + { + } + +-CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const String& charset) +- : StyleSheet(parentNode, href) ++CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, const String& charset) ++ : StyleSheet(parentNode, href, baseURL) + , m_doc(parentNode->document()) + , m_namespaces(0) + , m_charset(charset) +@@ -57,8 +57,8 @@ CSSStyleSheet::CSSStyleSheet(Node* paren + { + } + +-CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset) +- : StyleSheet(ownerRule, href) ++CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset) ++ : StyleSheet(ownerRule, href, baseURL) + , m_namespaces(0) + , m_charset(charset) + , m_loadCompleted(false) +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.660977242 +0200 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h 2010-05-03 15:55:37.745101706 +0200 +@@ -38,27 +38,31 @@ class CSSStyleSheet : public StyleSheet + public: + static PassRefPtr create() + { +- return adoptRef(new CSSStyleSheet(static_cast(0), String(), String())); ++ return adoptRef(new CSSStyleSheet(static_cast(0), String(), KURL(), String())); + } + static PassRefPtr create(Node* ownerNode) + { +- return adoptRef(new CSSStyleSheet(ownerNode, String(), String())); ++ return adoptRef(new CSSStyleSheet(ownerNode, String(), KURL(), String())); + } +- static PassRefPtr create(Node* ownerNode, const String& href) ++ static PassRefPtr create(Node* ownerNode, const String& href, const KURL& baseURL) + { +- return adoptRef(new CSSStyleSheet(ownerNode, href, String())); ++ return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, String())); + } +- static PassRefPtr create(Node* ownerNode, const String& href, const String& charset) ++ static PassRefPtr create(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset) + { +- return adoptRef(new CSSStyleSheet(ownerNode, href, charset)); ++ return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, charset)); + } +- static PassRefPtr create(CSSRule* ownerRule, const String& href, const String& charset) ++ static PassRefPtr create(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset) + { +- return adoptRef(new CSSStyleSheet(ownerRule, href, charset)); ++ return adoptRef(new CSSStyleSheet(ownerRule, href, baseURL, charset)); ++ } ++ static PassRefPtr createInline(Node* ownerNode, const KURL& baseURL) ++ { ++ return adoptRef(new CSSStyleSheet(ownerNode, baseURL.string(), baseURL, String())); + } + + virtual ~CSSStyleSheet(); +- ++ + CSSRule* ownerRule() const; + PassRefPtr cssRules(bool omitCharsetRules = false); + unsigned insertRule(const String& rule, unsigned index, ExceptionCode&); +@@ -72,7 +76,7 @@ public: + + void addNamespace(CSSParser*, const AtomicString& prefix, const AtomicString& uri); + const AtomicString& determineNamespace(const AtomicString& prefix); +- ++ + virtual void styleSheetChanged(); + + virtual bool parseString(const String&, bool strict = true); +@@ -99,10 +103,10 @@ public: + bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; } + + private: +- CSSStyleSheet(Node* ownerNode, const String& href, const String& charset); +- CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset); +- CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset); +- ++ CSSStyleSheet(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset); ++ CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset); ++ CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset); ++ + virtual bool isCSSStyleSheet() const { return true; } + virtual String type() const { return "text/css"; } + +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:20.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp 2010-05-03 15:55:37.757976382 +0200 +@@ -56,9 +56,9 @@ KURL StyleBase::baseURL() const + StyleSheet* sheet = const_cast(this)->stylesheet(); + if (!sheet) + return KURL(); +- if (!sheet->href().isNull()) +- return KURL(ParsedURLString, sheet->href()); +- if (sheet->parent()) ++ if (!sheet->putativeBaseURL().isNull()) ++ return sheet->putativeBaseURL(); ++ if (sheet->parent()) + return sheet->parent()->baseURL(); + if (!sheet->ownerNode()) + return KURL(); +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp 2010-05-03 15:55:37.758976847 +0200 +@@ -26,27 +26,30 @@ + + namespace WebCore { + +-StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href) ++StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL) + : StyleList(parentSheet) + , m_parentNode(0) +- , m_strHref(href) ++ , m_href(href) ++ , m_baseURL(baseURL) + , m_disabled(false) + { + } + + +-StyleSheet::StyleSheet(Node* parentNode, const String& href) ++StyleSheet::StyleSheet(Node* parentNode, const String& href, const KURL& baseURL) + : StyleList(0) + , m_parentNode(parentNode) +- , m_strHref(href) ++ , m_href(href) ++ , m_baseURL(baseURL) + , m_disabled(false) + { + } + +-StyleSheet::StyleSheet(StyleBase* owner, const String& href) ++StyleSheet::StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL) + : StyleList(owner) + , m_parentNode(0) +- , m_strHref(href) ++ , m_href(href) ++ , m_baseURL(baseURL) + , m_disabled(false) + { + } +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h 2010-05-03 15:55:37.758976847 +0200 +@@ -41,8 +41,18 @@ public: + + Node* ownerNode() const { return m_parentNode; } + StyleSheet *parentStyleSheet() const; +- const String& href() const { return m_strHref; } +- void setHref(const String& href) { m_strHref = href; } ++ ++ // Note that href is the URL that started the redirect chain that led to ++ // this style sheet. This property probably isn't useful for much except ++ // the JavaScript binding (which needs to use this value for security). ++ const String& href() const { return m_href; } ++ ++ void setBaseURL(const KURL& baseURL) { m_baseURL = baseURL; } ++ ++ // Notice that this object inherits a baseURL function from StyleBase that ++ // crawls the parent() relation looking for a non-0 putativeBaseURL. ++ const KURL& putativeBaseURL() const { return m_baseURL; } ++ + const String& title() const { return m_strTitle; } + void setTitle(const String& s) { m_strTitle = s; } + MediaList* media() const { return m_media.get(); } +@@ -58,15 +68,16 @@ public: + virtual bool parseString(const String&, bool strict = true) = 0; + + protected: +- StyleSheet(Node* ownerNode, const String& href); +- StyleSheet(StyleSheet* parentSheet, const String& href); +- StyleSheet(StyleBase* owner, const String& href); ++ StyleSheet(Node* ownerNode, const String& href, const KURL& baseURL); ++ StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL); ++ StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL); + + private: + virtual bool isStyleSheet() const { return true; } + + Node* m_parentNode; +- String m_strHref; ++ String m_href; ++ KURL m_baseURL; + String m_strTitle; + RefPtr m_media; + bool m_disabled; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp 2010-05-03 15:55:37.760977901 +0200 +@@ -1920,9 +1920,9 @@ void Document::updateBaseURL() + m_baseURL = KURL(); + + if (m_elemSheet) +- m_elemSheet->setHref(m_baseURL.string()); ++ m_elemSheet->setBaseURL(m_baseURL); + if (m_mappedElementSheet) +- m_mappedElementSheet->setHref(m_baseURL.string()); ++ m_mappedElementSheet->setBaseURL(m_baseURL); + } + + String Document::userAgent(const KURL& url) const +@@ -1944,7 +1944,7 @@ CSSStyleSheet* Document::pageUserSheet() + return 0; + + // Parse the sheet and cache it. +- m_pageUserSheet = CSSStyleSheet::create(this, settings()->userStyleSheetLocation()); ++ m_pageUserSheet = CSSStyleSheet::createInline(this, settings()->userStyleSheetLocation()); + m_pageUserSheet->setIsUserStyleSheet(true); + m_pageUserSheet->parseString(userSheetText, !inCompatMode()); + return m_pageUserSheet.get(); +@@ -1979,7 +1979,7 @@ const Vector >* Do + const UserStyleSheet* sheet = sheets->at(i).get(); + if (!UserContentURLPattern::matchesPatterns(url(), sheet->whitelist(), sheet->blacklist())) + continue; +- RefPtr parsedSheet = CSSStyleSheet::create(const_cast(this), sheet->url()); ++ RefPtr parsedSheet = CSSStyleSheet::createInline(const_cast(this), sheet->url()); + parsedSheet->setIsUserStyleSheet(true); + parsedSheet->parseString(sheet->source(), !inCompatMode()); + if (!m_pageGroupUserSheets) +@@ -2001,14 +2001,14 @@ void Document::clearPageGroupUserSheets( + CSSStyleSheet* Document::elementSheet() + { + if (!m_elemSheet) +- m_elemSheet = CSSStyleSheet::create(this, m_baseURL.string()); ++ m_elemSheet = CSSStyleSheet::createInline(this, m_baseURL); + return m_elemSheet.get(); + } + + CSSStyleSheet* Document::mappedElementSheet() + { + if (!m_mappedElementSheet) +- m_mappedElementSheet = CSSStyleSheet::create(this, m_baseURL.string()); ++ m_mappedElementSheet = CSSStyleSheet::createInline(this, m_baseURL); + return m_mappedElementSheet.get(); + } + +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp 2010-05-03 15:55:37.761977599 +0200 +@@ -138,7 +138,8 @@ void ProcessingInstruction::checkStyleSh + // We need to make a synthetic XSLStyleSheet that is embedded. It needs to be able + // to kick off import/include loads that can hang off some parent sheet. + if (m_isXSL) { +- m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref); ++ KURL baseURL = KURL(ParsedURLString, m_localHref); ++ m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref, baseURL); + m_loading = false; + } + #endif +@@ -196,12 +197,12 @@ bool ProcessingInstruction::sheetLoaded( + return false; + } + +-void ProcessingInstruction::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet) ++void ProcessingInstruction::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet) + { + #if ENABLE(XSLT) + ASSERT(!m_isXSL); + #endif +- RefPtr newSheet = CSSStyleSheet::create(this, url, charset); ++ RefPtr newSheet = CSSStyleSheet::create(this, href, baseURL, charset); + m_sheet = newSheet; + // We don't need the cross-origin security check here because we are + // getting the sheet text in "strict" mode. This enforces a valid CSS MIME +@@ -213,10 +214,10 @@ void ProcessingInstruction::setCSSStyleS + } + + #if ENABLE(XSLT) +-void ProcessingInstruction::setXSLStyleSheet(const String& url, const String& sheet) ++void ProcessingInstruction::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet) + { + ASSERT(m_isXSL); +- m_sheet = XSLStyleSheet::create(this, url); ++ m_sheet = XSLStyleSheet::create(this, href, baseURL); + parseStyleSheet(sheet); + } + #endif +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h 2010-05-03 15:55:37.761977599 +0200 +@@ -68,9 +68,9 @@ private: + virtual void removedFromDocument(); + + void checkStyleSheet(); +- virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*); ++ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*); + #if ENABLE(XSLT) +- virtual void setXSLStyleSheet(const String& url, const String& sheet); ++ virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet); + #endif + + bool isLoading() const; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp 2010-05-03 15:55:37.762976937 +0200 +@@ -103,7 +103,7 @@ void StyleElement::createSheet(Element* + if (screenEval.eval(mediaList.get()) || printEval.eval(mediaList.get())) { + document->addPendingSheet(); + setLoading(true); +- m_sheet = CSSStyleSheet::create(e, String(), document->inputEncoding()); ++ m_sheet = CSSStyleSheet::create(e, String(), KURL(), document->inputEncoding()); + m_sheet->parseString(text, !document->inCompatMode()); + m_sheet->setMedia(mediaList.get()); + m_sheet->setTitle(e->title()); +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp 2010-05-03 17:02:45.528101154 +0200 +@@ -253,9 +253,9 @@ void HTMLLinkElement::finishParsingChild + HTMLElement::finishParsingChildren(); + } + +-void HTMLLinkElement::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet) ++void HTMLLinkElement::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet) + { +- m_sheet = CSSStyleSheet::create(this, url, charset); ++ m_sheet = CSSStyleSheet::create(this, href, baseURL, charset); + + bool strictParsing = !document()->inCompatMode(); + bool enforceMIMEType = strictParsing; +@@ -275,11 +275,11 @@ void HTMLLinkElement::setCSSStyleSheet(c + // valid CSS rule. + // This prevents an attacker playing games by injecting CSS strings into + // HTML, XML, JSON, etc. etc. +- if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url))) ++ if (!document()->securityOrigin()->canRequest(baseURL)) + crossOriginCSS = true; + + if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader()) +- m_sheet = CSSStyleSheet::create(this, url, charset); ++ m_sheet = CSSStyleSheet::create(this, href, baseURL, charset); + + if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) { + // Work around . +@@ -287,7 +287,7 @@ void HTMLLinkElement::setCSSStyleSheet(c + DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n")); + // There are two variants of KHTMLFixes.css. One is equal to mediaWikiKHTMLFixesStyleSheet, + // while the other lacks the second trailing newline. +- if (url.endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText) ++ if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText) + && sheetText.length() >= mediaWikiKHTMLFixesStyleSheet.length() - 1) { + ASSERT(m_sheet->length() == 1); + ExceptionCode ec; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h 2010-05-03 15:55:37.773083096 +0200 +@@ -79,7 +79,7 @@ public: + virtual void removedFromDocument(); + + // from CachedResourceClient +- virtual void setCSSStyleSheet(const String &url, const String& charset, const CachedCSSStyleSheet* sheet); ++ virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet); + bool isLoading() const; + virtual bool sheetLoaded(); + +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-05-03 15:55:37.661976647 +0200 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp 2010-05-03 15:55:37.774976529 +0200 +@@ -52,9 +52,9 @@ CachedCSSStyleSheet::~CachedCSSStyleShee + void CachedCSSStyleSheet::didAddClient(CachedResourceClient *c) + { + if (!m_loading) +- c->setCSSStyleSheet(m_url, m_decoder->encoding().name(), this); ++ c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this); + } +- ++ + void CachedCSSStyleSheet::allClientsRemoved() + { + if (isSafeToMakePurgeable()) +@@ -112,7 +112,7 @@ void CachedCSSStyleSheet::checkNotify() + + CachedResourceClientWalker w(m_clients); + while (CachedResourceClient *c = w.next()) +- c->setCSSStyleSheet(m_response.url().string(), m_decoder->encoding().name(), this); ++ c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this); + } + + void CachedCSSStyleSheet::error() +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h 2010-05-03 15:55:37.775976911 +0200 +@@ -42,6 +42,7 @@ namespace WebCore { + class String; + class Image; + class IntRect; ++ class KURL; + + /** + * @internal +@@ -65,8 +66,8 @@ namespace WebCore { + // e.g., in the b/f cache or in a background tab). + virtual bool willRenderImage(CachedImage*) { return false; } + +- virtual void setCSSStyleSheet(const String& /*URL*/, const String& /*charset*/, const CachedCSSStyleSheet*) { } +- virtual void setXSLStyleSheet(const String& /*URL*/, const String& /*sheet*/) { } ++ virtual void setCSSStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* charset */, const CachedCSSStyleSheet*) { } ++ virtual void setXSLStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* sheet */) { } + + virtual void fontLoaded(CachedFont*) {}; + +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:19.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp 2010-05-03 15:55:37.789038977 +0200 +@@ -48,7 +48,7 @@ CachedXSLStyleSheet::CachedXSLStyleSheet + void CachedXSLStyleSheet::didAddClient(CachedResourceClient* c) + { + if (!m_loading) +- c->setXSLStyleSheet(m_url, m_sheet); ++ c->setXSLStyleSheet(m_url, m_response.url(), m_sheet); + } + + void CachedXSLStyleSheet::setEncoding(const String& chs) +@@ -83,10 +83,9 @@ void CachedXSLStyleSheet::checkNotify() + + CachedResourceClientWalker w(m_clients); + while (CachedResourceClient *c = w.next()) +- c->setXSLStyleSheet(m_url, m_sheet); ++ c->setXSLStyleSheet(m_url, m_response.url(), m_sheet); + } + +- + void CachedXSLStyleSheet::error() + { + m_loading = false; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp 2010-05-03 15:55:37.789038977 +0200 +@@ -52,13 +52,13 @@ XSLStyleSheet* XSLImportRule::parentStyl + return (parent() && parent()->isXSLStyleSheet()) ? static_cast(parent()) : 0; + } + +-void XSLImportRule::setXSLStyleSheet(const String& url, const String& sheet) ++void XSLImportRule::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet) + { + if (m_styleSheet) + m_styleSheet->setParent(0); +- +- m_styleSheet = XSLStyleSheet::create(this, url); +- ++ ++ m_styleSheet = XSLStyleSheet::create(this, href, baseURL); ++ + XSLStyleSheet* parent = parentStyleSheet(); + if (parent) + m_styleSheet->setParentStyleSheet(parent); +@@ -87,14 +87,14 @@ void XSLImportRule::loadSheet() + + String absHref = m_strHref; + XSLStyleSheet* parentSheet = parentStyleSheet(); +- if (!parentSheet->href().isNull()) ++ if (!parentSheet->putativeBaseURL().isNull()) + // use parent styleheet's URL as the base URL +- absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string(); ++ absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string(); + + // Check for a cycle in our import chain. If we encounter a stylesheet + // in our parent chain with the same URL, then just bail. + for (parent = this->parent(); parent; parent = parent->parent()) { +- if (parent->isXSLStyleSheet() && absHref == static_cast(parent)->href()) ++ if (parent->isXSLStyleSheet() && absHref == static_cast(parent)->putativeBaseURL().string()) + return; + } + +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h 2010-05-03 15:55:37.789981560 +0200 +@@ -57,7 +57,7 @@ private: + virtual bool isImportRule() { return true; } + + // from CachedResourceClient +- virtual void setXSLStyleSheet(const String& url, const String& sheet); ++ virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet); + + String m_strHref; + RefPtr m_styleSheet; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h 2010-05-03 15:55:37.827976887 +0200 +@@ -43,18 +43,18 @@ class XSLImportRule; + class XSLStyleSheet : public StyleSheet { + public: + #if !USE(QXMLQUERY) +- static PassRefPtr create(XSLImportRule* parentImport, const String& href) ++ static PassRefPtr create(XSLImportRule* parentImport, const String& href, const KURL& baseURL) + { +- return adoptRef(new XSLStyleSheet(parentImport, href)); ++ return adoptRef(new XSLStyleSheet(parentImport, href, baseURL)); + } + #endif +- static PassRefPtr create(Node* parentNode, const String& href) ++ static PassRefPtr create(Node* parentNode, const String& href, const KURL& baseURL) + { +- return adoptRef(new XSLStyleSheet(parentNode, href, false)); ++ return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, false)); + } +- static PassRefPtr createEmbedded(Node* parentNode, const String& href) ++ static PassRefPtr createEmbedded(Node* parentNode, const String& href, const KURL& baseURL) + { +- return adoptRef(new XSLStyleSheet(parentNode, href, true)); ++ return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, true)); + } + + virtual ~XSLStyleSheet(); +@@ -90,9 +90,9 @@ public: + bool processed() const { return m_processed; } + + private: +- XSLStyleSheet(Node* parentNode, const String& href, bool embedded); ++ XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded); + #if !USE(QXMLQUERY) +- XSLStyleSheet(XSLImportRule* parentImport, const String& href); ++ XSLStyleSheet(XSLImportRule* parentImport, const String& href, const KURL& baseURL); + #endif + + Document* m_ownerDocument; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp 2010-05-03 15:55:37.837079694 +0200 +@@ -55,8 +55,8 @@ SOFT_LINK(libxslt, xsltLoadStylesheetPI, + + namespace WebCore { + +-XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href) +- : StyleSheet(parentRule, href) ++XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href, const KURL& baseURL) ++ : StyleSheet(parentRule, href, baseURL) + , m_ownerDocument(0) + , m_embedded(false) + , m_processed(false) // Child sheets get marked as processed when the libxslt engine has finally seen them. +@@ -66,8 +66,8 @@ XSLStyleSheet::XSLStyleSheet(XSLImportRu + { + } + +-XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedded) +- : StyleSheet(parentNode, href) ++XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded) ++ : StyleSheet(parentNode, href, baseURL) + , m_ownerDocument(parentNode->document()) + , m_embedded(embedded) + , m_processed(true) // The root sheet starts off processed. +@@ -168,7 +168,7 @@ bool XSLStyleSheet::parseString(const St + } + + m_stylesheetDoc = xmlCtxtReadMemory(ctxt, buffer, size, +- href().utf8().data(), ++ putativeBaseURL().string().utf8().data(), + BOMHighByte == 0xFF ? "UTF-16LE" : "UTF-16BE", + XML_PARSE_NOENT | XML_PARSE_DTDATTR | XML_PARSE_NOWARNING | XML_PARSE_NOCDATA); + xmlFreeParserCtxt(ctxt); +@@ -192,7 +192,7 @@ void XSLStyleSheet::loadChildSheets() + if (m_embedded) { + // We have to locate (by ID) the appropriate embedded stylesheet element, so that we can walk the + // import/include list. +- xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(href().utf8().data())); ++ xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(putativeBaseURL().string().utf8().data())); + if (!idNode) + return; + stylesheetRoot = idNode->parent; +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp 2010-05-03 15:55:37.837977083 +0200 +@@ -33,8 +33,8 @@ + + namespace WebCore { + +-XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, bool embedded) +- : StyleSheet(parentNode, href) ++XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded) ++ : StyleSheet(parentNode, href, baseURL) + , m_ownerDocument(parentNode->document()) + , m_embedded(embedded) + { +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp 2010-05-03 15:55:37.837977083 +0200 +@@ -226,7 +226,8 @@ static xsltStylesheetPtr xsltStylesheetP + { + if (!cachedStylesheet && stylesheetRootNode) { + cachedStylesheet = XSLStyleSheet::create(stylesheetRootNode->parent() ? stylesheetRootNode->parent() : stylesheetRootNode, +- stylesheetRootNode->document()->url().string()); ++ stylesheetRootNode->document()->url().string(), ++ stylesheetRootNode->document()->url()); // FIXME: Should we use baseURL here? + cachedStylesheet->parseString(createMarkup(stylesheetRootNode)); + } + +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak 2010-02-11 16:55:17.000000000 +0100 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp 2010-05-03 15:55:37.915979873 +0200 +@@ -120,7 +120,9 @@ bool XSLTProcessor::transformToString(No + RefPtr stylesheet = m_stylesheet; + if (!stylesheet && m_stylesheetRootNode) { + Node* node = m_stylesheetRootNode.get(); +- stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node, node->document()->url().string()); ++ stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node, ++ node->document()->url().string(), ++ node->document()->url()); // FIXME: Should we use baseURL here? + stylesheet->parseString(createMarkup(node)); + } + diff --git a/qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch b/qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch new file mode 100644 index 0000000..b94c380 --- /dev/null +++ b/qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch @@ -0,0 +1,25 @@ +diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp.me qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp +--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp.me 2010-05-06 11:29:24.000000000 +0200 ++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp 2010-05-06 11:43:29.000000000 +0200 +@@ -112,7 +112,11 @@ SecurityOrigin::SecurityOrigin(const KUR + + // By default, only local SecurityOrigins can load local resources. + m_canLoadLocalResources = isLocal(); +- ++ if (m_canLoadLocalResources) { ++ // Directories should never be readable. ++ if (!url.hasPath() || url.path().endsWith("/")) ++ m_noAccess = true; ++ } + if (isDefaultPortForProtocol(m_port, m_protocol)) + m_port = 0; + } +@@ -207,6 +211,8 @@ bool SecurityOrigin::canRequest(const KU + return false; + + RefPtr targetOrigin = SecurityOrigin::create(url); ++ if (targetOrigin->m_noAccess) ++ return false; + + // We call isSameSchemeHostPort here instead of canAccess because we want + // to ignore document.domain effects. diff --git a/qt.spec b/qt.spec index d1759ec..7382552 100644 --- a/qt.spec +++ b/qt.spec @@ -13,7 +13,7 @@ Summary: Qt toolkit Name: qt Epoch: 1 Version: 4.6.2 -Release: 16%{?dist} +Release: 17%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -70,6 +70,9 @@ Patch102: qt-x11-opensource-src-4.5.3-cve-2010-0050-crash-misnested-style-tags.p Patch103: qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch Patch104: qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch Patch105: qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch +Patch106: qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch +Patch107: qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch +Patch108: qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch # kde-qt git patches Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch @@ -433,6 +436,9 @@ Qt libraries used for drawing widgets and OpenGL items. %patch103 -p1 -b .cve-2010-0052-destroyed-input-cached %patch104 -p1 -b .cve-2010-0051-lax-css-parsing-cross-domain-theft %patch105 -p1 -b .cve-2010-0054-image-element-pointer-name-getter +%patch106 -p1 -b .cve-2010-0656 +%patch107 -p1 -b .cve-2010-0047 +%patch108 -p1 -b .cve-2010-0648 # kde-qt branch %patch201 -p1 -b .kde-qt-0001 @@ -1042,6 +1048,10 @@ fi %changelog +* Thu May 06 2010 Than Ngo - 4.6.2-17 +- bz#589169, fix multiple flaws in webkit + CVE-2010-0047, CVE-2010-0648, CVE-2010-0656 + * Thu Apr 29 2010 Kevin Kofler - 4.6.2-16 - restore qt-everywhere-opensource-src-4.6.2-cups.patch (#586725)