rpms/kdelibs3/F-11 kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch, NONE, 1.1 kdelibs3.spec, 1.63, 1.64

[Lukas Tinkl]

Author: ltinkl

Update of /cvs/extras/rpms/kdelibs3/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv3933/F-11

Modified Files:
	kdelibs3.spec 
Added Files:
	kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch 
Log Message:
fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015)


kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch:
 xmlhttprequest.cpp |   22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

--- NEW FILE kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch ---
Index: xmlhttprequest.cpp
===================================================================
--- khtml/ecma/xmlhttprequest.cpp	(revision 954808)
+++ khtml/ecma/xmlhttprequest.cpp	(working copy)
@@ -342,17 +342,17 @@
 {
   aborted = false;
 
+  const QString protocol = url.protocol().lower();
+  // Abandon the request when the protocol is other than "http",
+  // instead of blindly doing a KIO::get on other protocols like file:/.
+  if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
+  {
+    abort();
+    return;
+  }
+
   if (method == "post") {
-    QString protocol = url.protocol().lower();
 
-    // Abondon the request when the protocol is other than "http",
-    // instead of blindly changing it to a "get" request.
-    if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
-    {
-      abort();
-      return;
-    }
-
     // FIXME: determine post encoding correctly by looking in headers
     // for charset.
     QByteArray buf;
@@ -763,11 +763,11 @@
         if (obj.isValid() && obj.inherits(&DOMDocument::info)) {
           DOM::Node docNode = static_cast<KJS::DOMDocument *>(obj.imp())->toNode();
           DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode.handle());
-          
+
           try {
             body = doc->toString().string();
             // FIXME: also need to set content type, including encoding!
-  
+
           } catch(DOM::DOMException& e) {
             Object err = Error::create(exec, GeneralError, "Exception serializing document");
             exec->setException(err);


Index: kdelibs3.spec
===================================================================
RCS file: /cvs/extras/rpms/kdelibs3/F-11/kdelibs3.spec,v
retrieving revision 1.63
retrieving revision 1.64
diff -u -p -r1.63 -r1.64
--- kdelibs3.spec	6 Sep 2009 02:53:36 -0000	1.63
+++ kdelibs3.spec	2 Nov 2009 14:55:21 -0000	1.64
@@ -36,7 +36,7 @@
 
 Summary: K Desktop Environment 3 - Libraries
 Version: 3.5.10
-Release: 13%{?dist}.1
+Release: 14%{?dist}
 
 %if 0%{?fedora} > 8
 Name: kdelibs3
@@ -110,6 +110,8 @@ Patch203: kdelibs-3.5.4-CVE-2009-1690.pa
 Patch204: kdelibs-3.5.10-cve-2009-1698.patch
 # fix CVE-2009-2702 - ssl incorrect verification of SSL certificate with NUL in subjectAltName
 Patch205: kdelibs-3.5.10-CVE-2009-2702.patch
+# fix oCERT-2009-015 - unrestricted XMLHttpRequest access to local URLs
+Patch206: kdelibs-3.5.10-oCERT-2009-015-xmlhttprequest.patch
 
 #{?arts:Requires: arts >= %{arts_ev}}
 #Requires: %{qt3} >= %{qt3_ev}
@@ -292,6 +294,7 @@ format for easy browsing
 %patch203 -p1 -b .cve-2009-1690
 %patch204 -p1 -b .cve-2009-1698
 %patch205 -p1 -b .cve-2009-2702
+%patch206 -p0 -b .oCERT-2009-015-xmlhttprequest
 
 sed -i -e "s,^#define KDE_VERSION_STRING .*,#define KDE_VERSION_STRING \"%{version}-%{release} %{distname}\"," kdecore/kdeversion.h
 
@@ -643,6 +646,9 @@ touch --no-create %{_datadir}/icons/crys
 
 
 %changelog
+* Mon Nov  2 2009 Lukáš Tinkl <ltinkl at redhat.com> - 3.5.10-14
+- fix unrestricted XMLHttpRequest access to local URLs (oCERT-2009-015), #532428
+
 * Sun Sep 06 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> - 3.5.10-13.1
 - fix for CVE-2009-2702