| author | Jiri Sasek <Jiri.Sasek@Oracle.COM> |
| Tue, 07 Jan 2014 04:04:31 -0800 | |
| branch | s11u1-sru |
| changeset 3010 | 07878573dad3 |
| parent 2471 | b1f0e4a84df6 |
| permissions | -rw-r--r-- |
|
2471
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
1 |
Taken as it's from: |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
2 |
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
3 |
http://git.gnome.org/browse/libxslt/commit/?id=ecb6bcb8d1b7e44842edde3929f412d46b40c89f |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
4 |
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
5 |
For https://bugzilla.redhat.com/show_bug.cgi?id=684386 |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
6 |
CVE-2011-1202 |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
7 |
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
8 |
From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001 |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
9 |
From: Daniel Veillard <[email protected]> |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
10 |
Date: Tue, 22 Feb 2011 02:14:23 +0000 |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
11 |
Subject: Fix generate-id() to not expose object addresses |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
12 |
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
13 |
As pointed out by Chris Evans <[email protected]> it's better |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
14 |
security wise to not expose object addresses directly, use a diff |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
15 |
w.r.t. the document root own address to avoid this |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
16 |
* libxslt/functions.c: fix IDs generation code |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
17 |
--- |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
18 |
diff --git a/libxslt/functions.c b/libxslt/functions.c |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
19 |
index 4720c7a..de962f4 100644 |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
20 |
--- a/libxslt/functions.c |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
21 |
+++ b/libxslt/functions.c |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
22 |
@@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
23 |
void |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
24 |
xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
25 |
xmlNodePtr cur = NULL; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
26 |
- unsigned long val; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
27 |
- xmlChar str[20]; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
28 |
+ long val; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
29 |
+ xmlChar str[30]; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
30 |
+ xmlDocPtr doc; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
31 |
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
32 |
if (nargs == 0) {
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
33 |
cur = ctxt->context->node; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
34 |
@@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
35 |
* Okay this is ugly but should work, use the NodePtr address |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
36 |
* to forge the ID |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
37 |
*/ |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
38 |
- val = (unsigned long)((char *)cur - (char *)0); |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
39 |
- val /= sizeof(xmlNode); |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
40 |
- sprintf((char *)str, "id%ld", val); |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
41 |
+ if (cur->type != XML_NAMESPACE_DECL) |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
42 |
+ doc = cur->doc; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
43 |
+ else {
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
44 |
+ xmlNsPtr ns = (xmlNsPtr) cur; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
45 |
+ |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
46 |
+ if (ns->context != NULL) |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
47 |
+ doc = ns->context; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
48 |
+ else |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
49 |
+ doc = ctxt->context->doc; |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
50 |
+ |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
51 |
+ } |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
52 |
+ |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
53 |
+ val = (long)((char *)cur - (char *)doc); |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
54 |
+ if (val >= 0) {
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
55 |
+ sprintf((char *)str, "idp%ld", val); |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
56 |
+ } else {
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
57 |
+ sprintf((char *)str, "idm%ld", -val); |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
58 |
+ } |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
59 |
valuePush(ctxt, xmlXPathNewString(str)); |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
60 |
} |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
61 |
|
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
62 |
-- |
|
b1f0e4a84df6
15807903 problem in LIBRARY/LIBXSLT
Petr Sumbera <petr.sumbera@oracle.com>
parents:
diff
changeset
|
63 |
cgit v0.9.0.2 |