Revision: 67130 http://trac.macports.org/changeset/67130 Author: takanori@macports.org Date: 2010-04-29 19:07:01 -0700 (Thu, 29 Apr 2010) Log Message: ----------- kdelibs3: - fixed XMLHttpRequest vulnerability and kioslave input validation issues http://www.kde.org/info/security/advisory-20091027-1.txt Modified Paths: -------------- trunk/dports/kde/kdelibs3/Portfile Added Paths: ----------- trunk/dports/kde/kdelibs3/files/oCERT-2009-015.patch Modified: trunk/dports/kde/kdelibs3/Portfile =================================================================== --- trunk/dports/kde/kdelibs3/Portfile 2010-04-30 02:04:41 UTC (rev 67129) +++ trunk/dports/kde/kdelibs3/Portfile 2010-04-30 02:07:01 UTC (rev 67130) @@ -6,7 +6,7 @@ name kdelibs3 version 3.5.10 -revision 6 +revision 7 set kdeadmin kde-admindir-1502 categories kde kde3 maintainers nomaintainer @@ -81,7 +81,8 @@ macports-x11.patch \ patch-kio_misc_kpac_configure.in.in.diff \ patch-kio_misc_kpac_discovery.cpp.diff \ - patch_kinit_lnusertemp.c.diff + patch_kinit_lnusertemp.c.diff \ + oCERT-2009-015.patch patch { foreach f $patchfiles { Added: trunk/dports/kde/kdelibs3/files/oCERT-2009-015.patch =================================================================== --- trunk/dports/kde/kdelibs3/files/oCERT-2009-015.patch (rev 0) +++ trunk/dports/kde/kdelibs3/files/oCERT-2009-015.patch 2010-04-30 02:07:01 UTC (rev 67130) @@ -0,0 +1,42 @@ +--- kdelibs-3.5.10/khtml/ecma/xmlhttprequest.cpp.orig 2007-10-08 18:52:07.000000000 +0900 ++++ kdelibs-3.5.10/khtml/ecma/xmlhttprequest.cpp 2010-04-30 10:16:24.000000000 +0900 +@@ -342,16 +342,16 @@ + { + aborted = false; + +- if (method == "post") { +- QString protocol = url.protocol().lower(); ++ const QString protocol = url.protocol().lower(); ++ // Abandon the request when the protocol is other than "http", ++ // instead of blindly doing a KIO::get on other protocols like file:/. ++ if (!protocol.startsWith("http") && !protocol.startsWith("webdav")) ++ { ++ abort(); ++ return; ++ } + +- // Abondon the request when the protocol is other than "http", +- // instead of blindly changing it to a "get" request. +- if (!protocol.startsWith("http") && !protocol.startsWith("webdav")) +- { +- abort(); +- return; +- } ++ if (method == "post") { + + // FIXME: determine post encoding correctly by looking in headers + // for charset. +@@ -763,11 +763,11 @@ + if (obj.isValid() && obj.inherits(&DOMDocument::info)) { + DOM::Node docNode = static_cast<KJS::DOMDocument *>(obj.imp())->toNode(); + DOM::DocumentImpl *doc = static_cast<DOM::DocumentImpl *>(docNode.handle()); +- ++ + try { + body = doc->toString().string(); + // FIXME: also need to set content type, including encoding! +- ++ + } catch(DOM::DOMException& e) { + Object err = Error::create(exec, GeneralError, "Exception serializing document"); + exec->setException(err);