Mercurial Mercurial > upstream > oracle > userland-gate / comparison
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
components/libxslt/patches/02-libxslt-Fix-generate-id-to-not-expose-object-addresses.patch
branchs11u1-sru
changeset 2471 b1f0e4a84df6
equal deleted inserted replaced
2469:0b02cc321ac6 2471:b1f0e4a84df6 
       
     1 Taken as it's from:
 
       
     2 
       
     3 http://git.gnome.org/browse/libxslt/commit/?id=ecb6bcb8d1b7e44842edde3929f412d46b40c89f
 
       
     4 
       
     5 For https://bugzilla.redhat.com/show_bug.cgi?id=684386
 
       
     6 CVE-2011-1202
 
       
     7 
       
     8 From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001
 
       
     9 From: Daniel Veillard <[email protected]>
 
       
    10 Date: Tue, 22 Feb 2011 02:14:23 +0000
 
       
    11 Subject: Fix generate-id() to not expose object addresses
 
       
    12 
       
    13 As pointed out by Chris Evans <[email protected]> it's better
 
       
    14 security wise to not expose object addresses directly, use a diff
 
       
    15 w.r.t. the document root own address to avoid this
 
       
    16 * libxslt/functions.c: fix IDs generation code
 
       
    17 ---
 
       
    18 diff --git a/libxslt/functions.c b/libxslt/functions.c
 
       
    19 index 4720c7a..de962f4 100644
 
       
    20 --- a/libxslt/functions.c
 
       
    21 +++ b/libxslt/functions.c
 
       
    22 @@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
 
       
    23  void
 
       
    24  xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
 
       
    25      xmlNodePtr cur = NULL;
 
       
    26 -    unsigned long val;
 
       
    27 -    xmlChar str[20];
 
       
    28 +    long val;
 
       
    29 +    xmlChar str[30];
 
       
    30 +    xmlDocPtr doc;
 
       
    31  
       
    32      if (nargs == 0) {
 
       
    33  	cur = ctxt->context->node;
 
       
    34 @@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
 
       
    35       * Okay this is ugly but should work, use the NodePtr address
 
       
    36       * to forge the ID
 
       
    37       */
 
       
    38 -    val = (unsigned long)((char *)cur - (char *)0);
 
       
    39 -    val /= sizeof(xmlNode);
 
       
    40 -    sprintf((char *)str, "id%ld", val);
 
       
    41 +    if (cur->type != XML_NAMESPACE_DECL)
 
       
    42 +        doc = cur->doc;
 
       
    43 +    else {
 
       
    44 +        xmlNsPtr ns = (xmlNsPtr) cur;
 
       
    45 +
 
       
    46 +        if (ns->context != NULL)
 
       
    47 +            doc = ns->context;
 
       
    48 +        else
 
       
    49 +            doc = ctxt->context->doc;
 
       
    50 +
 
       
    51 +    }
 
       
    52 +
 
       
    53 +    val = (long)((char *)cur - (char *)doc);
 
       
    54 +    if (val >= 0) {
 
       
    55 +      sprintf((char *)str, "idp%ld", val);
 
       
    56 +    } else {
 
       
    57 +      sprintf((char *)str, "idm%ld", -val);
 
       
    58 +    }
 
       
    59      valuePush(ctxt, xmlXPathNewString(str));
 
       
    60  }
 
       
    61  
       
    62 --
 
       
    63 cgit v0.9.0.2
upstream/oracle/userland-gate