[67130] trunk/dports/kde/kdelibs3
takanori at macports.org
takanori at macports.org
Thu Apr 29 19:07:03 PDT 2010
Revision: 67130
http://trac.macports.org/changeset/67130
Author: takanori at macports.org
Date: 2010-04-29 19:07:01 -0700 (Thu, 29 Apr 2010)
Log Message:
-----------
kdelibs3:
- fixed XMLHttpRequest vulnerability and kioslave input validation issues
http://www.kde.org/info/security/advisory-20091027-1.txt
Modified Paths:
--------------
trunk/dports/kde/kdelibs3/Portfile
Added Paths:
-----------
trunk/dports/kde/kdelibs3/files/oCERT-2009-015.patch
Modified: trunk/dports/kde/kdelibs3/Portfile
===================================================================
--- trunk/dports/kde/kdelibs3/Portfile 2010-04-30 02:04:41 UTC (rev 67129)
+++ trunk/dports/kde/kdelibs3/Portfile 2010-04-30 02:07:01 UTC (rev 67130)
@@ -6,7 +6,7 @@
name kdelibs3
version 3.5.10
-revision 6
+revision 7
set kdeadmin kde-admindir-1502
categories kde kde3
maintainers nomaintainer
@@ -81,7 +81,8 @@
macports-x11.patch \
patch-kio_misc_kpac_configure.in.in.diff \
patch-kio_misc_kpac_discovery.cpp.diff \
- patch_kinit_lnusertemp.c.diff
+ patch_kinit_lnusertemp.c.diff \
+ oCERT-2009-015.patch
patch {
foreach f $patchfiles {
Added: trunk/dports/kde/kdelibs3/files/oCERT-2009-015.patch
===================================================================
--- trunk/dports/kde/kdelibs3/files/oCERT-2009-015.patch (rev 0)
+++ trunk/dports/kde/kdelibs3/files/oCERT-2009-015.patch 2010-04-30 02:07:01 UTC (rev 67130)
@@ -0,0 +1,42 @@
+--- kdelibs-3.5.10/khtml/ecma/xmlhttprequest.cpp.orig 2007-10-08 18:52:07.000000000 +0900
++++ kdelibs-3.5.10/khtml/ecma/xmlhttprequest.cpp 2010-04-30 10:16:24.000000000 +0900
+@@ -342,16 +342,16 @@
+ {
+ aborted = false;
+
+- if (method == "post") {
+- QString protocol = url.protocol().lower();
++ const QString protocol = url.protocol().lower();
++ // Abandon the request when the protocol is other than "http",
++ // instead of blindly doing a KIO::get on other protocols like file:/.
++ if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
++ {
++ abort();
++ return;
++ }
+
+- // Abondon the request when the protocol is other than "http",
+- // instead of blindly changing it to a "get" request.
+- if (!protocol.startsWith("http") && !protocol.startsWith("webdav"))
+- {
+- abort();
+- return;
+- }
++ if (method == "post") {
+
+ // FIXME: determine post encoding correctly by looking in headers
+ // for charset.
+@@ -763,11 +763,11 @@
+ if (obj.isValid() && obj.inherits(&DOMDocument::info)) {
+ DOM::Node docNode = static_cast<KJS::DOMDocument *>(obj.imp())->toNode();
+ DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode.handle());
+-
++
+ try {
+ body = doc->toString().string();
+ // FIXME: also need to set content type, including encoding!
+-
++
+ } catch(DOM::DOMException& e) {
+ Object err = Error::create(exec, GeneralError, "Exception serializing document");
+ exec->setException(err);
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20100429/1a1051b9/attachment.html>
More information about the macports-changes
mailing list