|
1 Taken as it's from: |
|
2 |
|
3 http://git.gnome.org/browse/libxslt/commit/?id=ecb6bcb8d1b7e44842edde3929f412d46b40c89f |
|
4 |
|
5 For https://bugzilla.redhat.com/show_bug.cgi?id=684386 |
|
6 CVE-2011-1202 |
|
7 |
|
8 From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001 |
|
9 From: Daniel Veillard <[email protected]> |
|
10 Date: Tue, 22 Feb 2011 02:14:23 +0000 |
|
11 Subject: Fix generate-id() to not expose object addresses |
|
12 |
|
13 As pointed out by Chris Evans <[email protected]> it's better |
|
14 security wise to not expose object addresses directly, use a diff |
|
15 w.r.t. the document root own address to avoid this |
|
16 * libxslt/functions.c: fix IDs generation code |
|
17 --- |
|
18 diff --git a/libxslt/functions.c b/libxslt/functions.c |
|
19 index 4720c7a..de962f4 100644 |
|
20 --- a/libxslt/functions.c |
|
21 +++ b/libxslt/functions.c |
|
22 @@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) |
|
23 void |
|
24 xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ |
|
25 xmlNodePtr cur = NULL; |
|
26 - unsigned long val; |
|
27 - xmlChar str[20]; |
|
28 + long val; |
|
29 + xmlChar str[30]; |
|
30 + xmlDocPtr doc; |
|
31 |
|
32 if (nargs == 0) { |
|
33 cur = ctxt->context->node; |
|
34 @@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ |
|
35 * Okay this is ugly but should work, use the NodePtr address |
|
36 * to forge the ID |
|
37 */ |
|
38 - val = (unsigned long)((char *)cur - (char *)0); |
|
39 - val /= sizeof(xmlNode); |
|
40 - sprintf((char *)str, "id%ld", val); |
|
41 + if (cur->type != XML_NAMESPACE_DECL) |
|
42 + doc = cur->doc; |
|
43 + else { |
|
44 + xmlNsPtr ns = (xmlNsPtr) cur; |
|
45 + |
|
46 + if (ns->context != NULL) |
|
47 + doc = ns->context; |
|
48 + else |
|
49 + doc = ctxt->context->doc; |
|
50 + |
|
51 + } |
|
52 + |
|
53 + val = (long)((char *)cur - (char *)doc); |
|
54 + if (val >= 0) { |
|
55 + sprintf((char *)str, "idp%ld", val); |
|
56 + } else { |
|
57 + sprintf((char *)str, "idm%ld", -val); |
|
58 + } |
|
59 valuePush(ctxt, xmlXPathNewString(str)); |
|
60 } |
|
61 |
|
62 -- |
|
63 cgit v0.9.0.2 |