Contents of /trunk/kdelibs/patches/CVE-2007-1564-kdelibs-3.5.6.diff
Parent Directory | Revision Log
Revision 144 -
(show annotations)
(download)
Tue May 8 20:06:05 2007 UTC (17 years, 4 months ago) by niro
File size: 2835 byte(s)
Tue May 8 20:06:05 2007 UTC (17 years, 4 months ago) by niro
File size: 2835 byte(s)
-import
1 | --- khtml/ecma/kjs_html.cpp |
2 | +++ khtml/ecma/kjs_html.cpp |
3 | @@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty |
4 | getDOMNode(exec, frameElement.contentDocument()) : Undefined(); |
5 | case FrameContentWindow: { |
6 | KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart(); |
7 | - if (part) |
8 | - return Value(Window::retrieveWindow(part)); |
9 | - else |
10 | + if (part) { |
11 | + Window *w = Window::retrieveWindow(part); |
12 | + if (w) |
13 | + return Value(w); |
14 | + } |
15 | return Undefined(); |
16 | } |
17 | case FrameFrameBorder: return String(frameElement.frameBorder()); |
18 | @@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty |
19 | getDOMNode(exec, iFrame.contentDocument()) : Undefined(); |
20 | case IFrameContentWindow: { |
21 | KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart(); |
22 | - if (part) |
23 | - return Value(Window::retrieveWindow(part)); |
24 | - else |
25 | + if (part) { |
26 | + Window *w = Window::retrieveWindow(part); |
27 | + if (w) |
28 | + return Value(w); |
29 | + } |
30 | return Undefined(); |
31 | } |
32 | case IFrameFrameBorder: return String(iFrame.frameBorder()); |
33 | --- kioslave/ftp/ftp.cc |
34 | +++ kioslave/ftp/ftp.cc |
35 | @@ -58,6 +58,7 @@ |
36 | #include <kmimemagic.h> |
37 | #include <kmimetype.h> |
38 | #include <ksockaddr.h> |
39 | +#include <ksocketaddress.h> |
40 | #include <kio/ioslave_defaults.h> |
41 | #include <kio/slaveconfig.h> |
42 | #include <kremoteencoding.h> |
43 | @@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm |
44 | return true; |
45 | } |
46 | |
47 | - |
48 | /* |
49 | * ftpOpenPASVDataConnection - set up data connection, using PASV mode |
50 | * |
51 | @@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection() |
52 | if (sa != NULL && sa->family() != PF_INET) |
53 | return ERR_INTERNAL; // no PASV for non-PF_INET connections |
54 | |
55 | + const KInetSocketAddress *sin = static_cast<const KInetSocketAddress*>(sa); |
56 | + |
57 | if (m_extControl & pasvUnknown) |
58 | return ERR_INTERNAL; // already tried and got "unknown command" |
59 | |
60 | @@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection() |
61 | } |
62 | |
63 | // Make hostname and port number ... |
64 | - QString host; |
65 | - host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]); |
66 | int port = i[4] << 8 | i[5]; |
67 | |
68 | + // we ignore the host part on purpose for two reasons |
69 | + // a) it might be wrong anyway |
70 | + // b) it would make us being suceptible to a port scanning attack |
71 | + |
72 | // now connect the data socket ... |
73 | m_data = new FtpSocket("PASV"); |
74 | - m_data->setAddress(host, port); |
75 | - kdDebug(7102) << "Connecting to " << host << " on port " << port << endl; |
76 | + m_data->setAddress(sin->nodeName(), port); |
77 | + |
78 | + kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl; |
79 | return m_data->connectSocket(connectTimeout(), false); |
80 | } |
81 |