mirror of
https://git.openwrt.org/feed/packages.git
synced 2024-06-14 19:33:59 +02:00
110 lines
3.4 KiB
Diff
110 lines
3.4 KiB
Diff
From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Sun, 24 Mar 2019 09:51:39 +0100
|
|
Subject: [PATCH] Fix security framework bypass
|
|
|
|
xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
|
|
don't check for this condition and allow access. With a specially
|
|
crafted URL, xsltCheckRead could be tricked into returning an error
|
|
because of a supposedly invalid URL that would still be loaded
|
|
succesfully later on.
|
|
|
|
Fixes #12.
|
|
|
|
Thanks to Felix Wilhelm for the report.
|
|
---
|
|
libxslt/documents.c | 18 ++++++++++--------
|
|
libxslt/imports.c | 9 +++++----
|
|
libxslt/transform.c | 9 +++++----
|
|
libxslt/xslt.c | 9 +++++----
|
|
4 files changed, 25 insertions(+), 20 deletions(-)
|
|
|
|
--- a/libxslt/documents.c
|
|
+++ b/libxslt/documents.c
|
|
@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr
|
|
int res;
|
|
|
|
res = xsltCheckRead(ctxt->sec, ctxt, URI);
|
|
- if (res == 0) {
|
|
- xsltTransformError(ctxt, NULL, NULL,
|
|
- "xsltLoadDocument: read rights for %s denied\n",
|
|
- URI);
|
|
+ if (res <= 0) {
|
|
+ if (res == 0)
|
|
+ xsltTransformError(ctxt, NULL, NULL,
|
|
+ "xsltLoadDocument: read rights for %s denied\n",
|
|
+ URI);
|
|
return(NULL);
|
|
}
|
|
}
|
|
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr
|
|
int res;
|
|
|
|
res = xsltCheckRead(sec, NULL, URI);
|
|
- if (res == 0) {
|
|
- xsltTransformError(NULL, NULL, NULL,
|
|
- "xsltLoadStyleDocument: read rights for %s denied\n",
|
|
- URI);
|
|
+ if (res <= 0) {
|
|
+ if (res == 0)
|
|
+ xsltTransformError(NULL, NULL, NULL,
|
|
+ "xsltLoadStyleDocument: read rights for %s denied\n",
|
|
+ URI);
|
|
return(NULL);
|
|
}
|
|
}
|
|
--- a/libxslt/imports.c
|
|
+++ b/libxslt/imports.c
|
|
@@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheet
|
|
int secres;
|
|
|
|
secres = xsltCheckRead(sec, NULL, URI);
|
|
- if (secres == 0) {
|
|
- xsltTransformError(NULL, NULL, NULL,
|
|
- "xsl:import: read rights for %s denied\n",
|
|
- URI);
|
|
+ if (secres <= 0) {
|
|
+ if (secres == 0)
|
|
+ xsltTransformError(NULL, NULL, NULL,
|
|
+ "xsl:import: read rights for %s denied\n",
|
|
+ URI);
|
|
goto error;
|
|
}
|
|
}
|
|
--- a/libxslt/transform.c
|
|
+++ b/libxslt/transform.c
|
|
@@ -3416,10 +3416,11 @@ xsltDocumentElem(xsltTransformContextPtr
|
|
*/
|
|
if (ctxt->sec != NULL) {
|
|
ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
|
|
- if (ret == 0) {
|
|
- xsltTransformError(ctxt, NULL, inst,
|
|
- "xsltDocumentElem: write rights for %s denied\n",
|
|
- filename);
|
|
+ if (ret <= 0) {
|
|
+ if (ret == 0)
|
|
+ xsltTransformError(ctxt, NULL, inst,
|
|
+ "xsltDocumentElem: write rights for %s denied\n",
|
|
+ filename);
|
|
xmlFree(URL);
|
|
xmlFree(filename);
|
|
return;
|
|
--- a/libxslt/xslt.c
|
|
+++ b/libxslt/xslt.c
|
|
@@ -6729,10 +6729,11 @@ xsltParseStylesheetFile(const xmlChar* f
|
|
int res;
|
|
|
|
res = xsltCheckRead(sec, NULL, filename);
|
|
- if (res == 0) {
|
|
- xsltTransformError(NULL, NULL, NULL,
|
|
- "xsltParseStylesheetFile: read rights for %s denied\n",
|
|
- filename);
|
|
+ if (res <= 0) {
|
|
+ if (res == 0)
|
|
+ xsltTransformError(NULL, NULL, NULL,
|
|
+ "xsltParseStylesheetFile: read rights for %s denied\n",
|
|
+ filename);
|
|
return(NULL);
|
|
}
|
|
}
|