Annotation of /trunk/kdelibs/patches/CVE-2007-1564-kdelibs-3.5.6.diff
Parent Directory | Revision Log
Revision 144 -
(hide annotations)
(download)
Tue May 8 20:06:05 2007 UTC (17 years, 4 months ago) by niro
File size: 2835 byte(s)
Tue May 8 20:06:05 2007 UTC (17 years, 4 months ago) by niro
File size: 2835 byte(s)
-import
1 | niro | 144 | --- khtml/ecma/kjs_html.cpp |
2 | +++ khtml/ecma/kjs_html.cpp | ||
3 | @@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty | ||
4 | getDOMNode(exec, frameElement.contentDocument()) : Undefined(); | ||
5 | case FrameContentWindow: { | ||
6 | KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart(); | ||
7 | - if (part) | ||
8 | - return Value(Window::retrieveWindow(part)); | ||
9 | - else | ||
10 | + if (part) { | ||
11 | + Window *w = Window::retrieveWindow(part); | ||
12 | + if (w) | ||
13 | + return Value(w); | ||
14 | + } | ||
15 | return Undefined(); | ||
16 | } | ||
17 | case FrameFrameBorder: return String(frameElement.frameBorder()); | ||
18 | @@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty | ||
19 | getDOMNode(exec, iFrame.contentDocument()) : Undefined(); | ||
20 | case IFrameContentWindow: { | ||
21 | KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart(); | ||
22 | - if (part) | ||
23 | - return Value(Window::retrieveWindow(part)); | ||
24 | - else | ||
25 | + if (part) { | ||
26 | + Window *w = Window::retrieveWindow(part); | ||
27 | + if (w) | ||
28 | + return Value(w); | ||
29 | + } | ||
30 | return Undefined(); | ||
31 | } | ||
32 | case IFrameFrameBorder: return String(iFrame.frameBorder()); | ||
33 | --- kioslave/ftp/ftp.cc | ||
34 | +++ kioslave/ftp/ftp.cc | ||
35 | @@ -58,6 +58,7 @@ | ||
36 | #include <kmimemagic.h> | ||
37 | #include <kmimetype.h> | ||
38 | #include <ksockaddr.h> | ||
39 | +#include <ksocketaddress.h> | ||
40 | #include <kio/ioslave_defaults.h> | ||
41 | #include <kio/slaveconfig.h> | ||
42 | #include <kremoteencoding.h> | ||
43 | @@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm | ||
44 | return true; | ||
45 | } | ||
46 | |||
47 | - | ||
48 | /* | ||
49 | * ftpOpenPASVDataConnection - set up data connection, using PASV mode | ||
50 | * | ||
51 | @@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection() | ||
52 | if (sa != NULL && sa->family() != PF_INET) | ||
53 | return ERR_INTERNAL; // no PASV for non-PF_INET connections | ||
54 | |||
55 | + const KInetSocketAddress *sin = static_cast<const KInetSocketAddress*>(sa); | ||
56 | + | ||
57 | if (m_extControl & pasvUnknown) | ||
58 | return ERR_INTERNAL; // already tried and got "unknown command" | ||
59 | |||
60 | @@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection() | ||
61 | } | ||
62 | |||
63 | // Make hostname and port number ... | ||
64 | - QString host; | ||
65 | - host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]); | ||
66 | int port = i[4] << 8 | i[5]; | ||
67 | |||
68 | + // we ignore the host part on purpose for two reasons | ||
69 | + // a) it might be wrong anyway | ||
70 | + // b) it would make us being suceptible to a port scanning attack | ||
71 | + | ||
72 | // now connect the data socket ... | ||
73 | m_data = new FtpSocket("PASV"); | ||
74 | - m_data->setAddress(host, port); | ||
75 | - kdDebug(7102) << "Connecting to " << host << " on port " << port << endl; | ||
76 | + m_data->setAddress(sin->nodeName(), port); | ||
77 | + | ||
78 | + kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl; | ||
79 | return m_data->connectSocket(connectTimeout(), false); | ||
80 | } | ||
81 |