kdelibs/patches/CVE-2007-1564-kdelibs-3.5.6.diff

--- khtml/ecma/kjs_html.cpp
+++ khtml/ecma/kjs_html.cpp
@@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty
 				      getDOMNode(exec, frameElement.contentDocument()) : Undefined();
     case FrameContentWindow:   {
         KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart();
-        if (part)
-            return Value(Window::retrieveWindow(part));
-        else
+        if (part) {
+          Window *w = Window::retrieveWindow(part);
+          if (w)
+            return Value(w);
+        }
             return Undefined();
     }
     case FrameFrameBorder:     return String(frameElement.frameBorder());
@@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty
 				       getDOMNode(exec, iFrame.contentDocument()) : Undefined();
     case IFrameContentWindow:       {
         KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart();
-        if (part)
-            return Value(Window::retrieveWindow(part));
-        else
+        if (part) {
+          Window *w = Window::retrieveWindow(part);
+          if (w)
+            return Value(w);
+        }
             return Undefined();
     }
     case IFrameFrameBorder:     return String(iFrame.frameBorder());
--- kioslave/ftp/ftp.cc
+++ kioslave/ftp/ftp.cc
@@ -58,6 +58,7 @@
 #include <kmimemagic.h>
 #include <kmimetype.h>
 #include <ksockaddr.h>
+#include <ksocketaddress.h>
 #include <kio/ioslave_defaults.h>
 #include <kio/slaveconfig.h>
 #include <kremoteencoding.h>
@@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm
   return true;
 }
 
-
 /*
  * ftpOpenPASVDataConnection - set up data connection, using PASV mode
  *
@@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection()
   if (sa != NULL && sa->family() != PF_INET)
     return ERR_INTERNAL;       // no PASV for non-PF_INET connections
 
+  const KInetSocketAddress *sin = static_cast<const KInetSocketAddress*>(sa);
+
   if (m_extControl & pasvUnknown)
     return ERR_INTERNAL;       // already tried and got "unknown command"
 
@@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection()
   }
 
   // Make hostname and port number ...
-  QString host;
-  host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]);
   int port = i[4] << 8 | i[5];
 
+  // we ignore the host part on purpose for two reasons
+  // a) it might be wrong anyway
+  // b) it would make us being suceptible to a port scanning attack
+
   // now connect the data socket ...
   m_data = new FtpSocket("PASV");
-  m_data->setAddress(host, port);
-  kdDebug(7102) << "Connecting to " << host << " on port " << port << endl;
+  m_data->setAddress(sin->nodeName(), port);
+
+  kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl;
   return m_data->connectSocket(connectTimeout(), false);
 }
 
1	niro	144	--- khtml/ecma/kjs_html.cpp
2			+++ khtml/ecma/kjs_html.cpp
3			@@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty
4			getDOMNode(exec, frameElement.contentDocument()) : Undefined();
5			case FrameContentWindow: {
6			KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart();
7			- if (part)
8			- return Value(Window::retrieveWindow(part));
9			- else
10			+ if (part) {
11			+ Window *w = Window::retrieveWindow(part);
12			+ if (w)
13			+ return Value(w);
14			+ }
15			return Undefined();
16			}
17			case FrameFrameBorder: return String(frameElement.frameBorder());
18			@@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty
19			getDOMNode(exec, iFrame.contentDocument()) : Undefined();
20			case IFrameContentWindow: {
21			KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart();
22			- if (part)
23			- return Value(Window::retrieveWindow(part));
24			- else
25			+ if (part) {
26			+ Window *w = Window::retrieveWindow(part);
27			+ if (w)
28			+ return Value(w);
29			+ }
30			return Undefined();
31			}
32			case IFrameFrameBorder: return String(iFrame.frameBorder());
33			--- kioslave/ftp/ftp.cc
34			+++ kioslave/ftp/ftp.cc
35			@@ -58,6 +58,7 @@
36			#include <kmimemagic.h>
37			#include <kmimetype.h>
38			#include <ksockaddr.h>
39			+#include <ksocketaddress.h>
40			#include <kio/ioslave_defaults.h>
41			#include <kio/slaveconfig.h>
42			#include <kremoteencoding.h>
43			@@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm
44			return true;
45			}
46
47			-
48			/*
49			* ftpOpenPASVDataConnection - set up data connection, using PASV mode
50			*
51			@@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection()
52			if (sa != NULL && sa->family() != PF_INET)
53			return ERR_INTERNAL; // no PASV for non-PF_INET connections
54
55			+ const KInetSocketAddress sin = static_cast<const KInetSocketAddress>(sa);
56			+
57			if (m_extControl & pasvUnknown)
58			return ERR_INTERNAL; // already tried and got "unknown command"
59
60			@@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection()
61			}
62
63			// Make hostname and port number ...
64			- QString host;
65			- host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]);
66			int port = i[4] << 8 \| i[5];
67
68			+ // we ignore the host part on purpose for two reasons
69			+ // a) it might be wrong anyway
70			+ // b) it would make us being suceptible to a port scanning attack
71			+
72			// now connect the data socket ...
73			m_data = new FtpSocket("PASV");
74			- m_data->setAddress(host, port);
75			- kdDebug(7102) << "Connecting to " << host << " on port " << port << endl;
76			+ m_data->setAddress(sin->nodeName(), port);
77			+
78			+ kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl;
79			return m_data->connectSocket(connectTimeout(), false);
80			}
81