kdelibs/patches/CVE-2007-1564-kdelibs-3.5.6.diff

--- khtml/ecma/kjs_html.cpp
+++ khtml/ecma/kjs_html.cpp
@@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty
 				      getDOMNode(exec, frameElement.contentDocument()) : Undefined();
     case FrameContentWindow:   {
         KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart();
-        if (part)
-            return Value(Window::retrieveWindow(part));
-        else
+        if (part) {
+          Window *w = Window::retrieveWindow(part);
+          if (w)
+            return Value(w);
+        }
             return Undefined();
     }
     case FrameFrameBorder:     return String(frameElement.frameBorder());
@@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty
 				       getDOMNode(exec, iFrame.contentDocument()) : Undefined();
     case IFrameContentWindow:       {
         KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart();
-        if (part)
-            return Value(Window::retrieveWindow(part));
-        else
+        if (part) {
+          Window *w = Window::retrieveWindow(part);
+          if (w)
+            return Value(w);
+        }
             return Undefined();
     }
     case IFrameFrameBorder:     return String(iFrame.frameBorder());
--- kioslave/ftp/ftp.cc
+++ kioslave/ftp/ftp.cc
@@ -58,6 +58,7 @@
 #include <kmimemagic.h>
 #include <kmimetype.h>
 #include <ksockaddr.h>
+#include <ksocketaddress.h>
 #include <kio/ioslave_defaults.h>
 #include <kio/slaveconfig.h>
 #include <kremoteencoding.h>
@@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm
   return true;
 }
 
-
 /*
  * ftpOpenPASVDataConnection - set up data connection, using PASV mode
  *
@@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection()
   if (sa != NULL && sa->family() != PF_INET)
     return ERR_INTERNAL;       // no PASV for non-PF_INET connections
 
+  const KInetSocketAddress *sin = static_cast<const KInetSocketAddress*>(sa);
+
   if (m_extControl & pasvUnknown)
     return ERR_INTERNAL;       // already tried and got "unknown command"
 
@@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection()
   }
 
   // Make hostname and port number ...
-  QString host;
-  host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]);
   int port = i[4] << 8 | i[5];
 
+  // we ignore the host part on purpose for two reasons
+  // a) it might be wrong anyway
+  // b) it would make us being suceptible to a port scanning attack
+
   // now connect the data socket ...
   m_data = new FtpSocket("PASV");
-  m_data->setAddress(host, port);
-  kdDebug(7102) << "Connecting to " << host << " on port " << port << endl;
+  m_data->setAddress(sin->nodeName(), port);
+
+  kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl;
   return m_data->connectSocket(connectTimeout(), false);
 }
 
1	--- khtml/ecma/kjs_html.cpp
2	+++ khtml/ecma/kjs_html.cpp
3	@@ -1866,9 +1866,11 @@ Value KJS::HTMLElement::getValueProperty
4	getDOMNode(exec, frameElement.contentDocument()) : Undefined();
5	case FrameContentWindow: {
6	KHTMLPart* part = static_cast<DOM::HTMLFrameElementImpl*>(frameElement.handle())->contentPart();
7	- if (part)
8	- return Value(Window::retrieveWindow(part));
9	- else
10	+ if (part) {
11	+ Window *w = Window::retrieveWindow(part);
12	+ if (w)
13	+ return Value(w);
14	+ }
15	return Undefined();
16	}
17	case FrameFrameBorder: return String(frameElement.frameBorder());
18	@@ -1899,9 +1901,11 @@ Value KJS::HTMLElement::getValueProperty
19	getDOMNode(exec, iFrame.contentDocument()) : Undefined();
20	case IFrameContentWindow: {
21	KHTMLPart* part = static_cast<DOM::HTMLIFrameElementImpl*>(iFrame.handle())->contentPart();
22	- if (part)
23	- return Value(Window::retrieveWindow(part));
24	- else
25	+ if (part) {
26	+ Window *w = Window::retrieveWindow(part);
27	+ if (w)
28	+ return Value(w);
29	+ }
30	return Undefined();
31	}
32	case IFrameFrameBorder: return String(iFrame.frameBorder());
33	--- kioslave/ftp/ftp.cc
34	+++ kioslave/ftp/ftp.cc
35	@@ -58,6 +58,7 @@
36	#include <kmimemagic.h>
37	#include <kmimetype.h>
38	#include <ksockaddr.h>
39	+#include <ksocketaddress.h>
40	#include <kio/ioslave_defaults.h>
41	#include <kio/slaveconfig.h>
42	#include <kremoteencoding.h>
43	@@ -835,7 +836,6 @@ bool Ftp::ftpSendCmd( const QCString& cm
44	return true;
45	}
46
47	-
48	/*
49	* ftpOpenPASVDataConnection - set up data connection, using PASV mode
50	*
51	@@ -853,6 +853,8 @@ int Ftp::ftpOpenPASVDataConnection()
52	if (sa != NULL && sa->family() != PF_INET)
53	return ERR_INTERNAL; // no PASV for non-PF_INET connections
54
55	+ const KInetSocketAddress sin = static_cast<const KInetSocketAddress>(sa);
56	+
57	if (m_extControl & pasvUnknown)
58	return ERR_INTERNAL; // already tried and got "unknown command"
59
60	@@ -886,14 +888,17 @@ int Ftp::ftpOpenPASVDataConnection()
61	}
62
63	// Make hostname and port number ...
64	- QString host;
65	- host.sprintf("%d.%d.%d.%d", i[0], i[1], i[2], i[3]);
66	int port = i[4] << 8 \| i[5];
67
68	+ // we ignore the host part on purpose for two reasons
69	+ // a) it might be wrong anyway
70	+ // b) it would make us being suceptible to a port scanning attack
71	+
72	// now connect the data socket ...
73	m_data = new FtpSocket("PASV");
74	- m_data->setAddress(host, port);
75	- kdDebug(7102) << "Connecting to " << host << " on port " << port << endl;
76	+ m_data->setAddress(sin->nodeName(), port);
77	+
78	+ kdDebug(7102) << "Connecting to " << sin->nodeName() << " on port " << port << endl;
79	return m_data->connectSocket(connectTimeout(), false);
80	}
81