forked from gentoo/gentoo
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
kde-frameworks/kcoreaddons: backport patch from upstream to resolve C…
…VE-2016-7966 This also backports an unrelated bugfix patch (1be7272) as it is required for the CVE patch (96e562d) to apply cleanly. Gentoo-bug: 596224 Package-Manager: portage-2.3.1
- Loading branch information
1 parent
b10ff10
commit d370ca0
Showing
2 changed files
with
227 additions
and
0 deletions.
There are no files selected for viewing
225 changes: 225 additions & 0 deletions
225
kde-frameworks/kcoreaddons/files/kcoreaddons-5.26.0-CVE-2016-7966.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,225 @@ | ||
From 2a5142fecf8615ccfa3e7c1f9c088fa6ae5cc2a1 Mon Sep 17 00:00:00 2001 | ||
From: Montel Laurent <[email protected]> | ||
Date: Wed, 21 Sep 2016 07:24:30 +0200 | ||
Subject: [PATCH 1/2] Fix very old bug when we remove space in url as "foo | ||
<<url> <url>>" | ||
|
||
--- | ||
autotests/ktexttohtmltest.cpp | 14 ++++++++++++++ | ||
src/lib/text/ktexttohtml.cpp | 14 ++++++++++++-- | ||
2 files changed, 26 insertions(+), 2 deletions(-) | ||
|
||
diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp | ||
index 474f0ca..8fc0c56 100644 | ||
--- a/autotests/ktexttohtmltest.cpp | ||
+++ b/autotests/ktexttohtmltest.cpp | ||
@@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest) | ||
|
||
Q_DECLARE_METATYPE(KTextToHTML::Options) | ||
|
||
+#ifndef Q_OS_WIN | ||
+void initLocale() | ||
+{ | ||
+ setenv("LC_ALL", "en_US.utf-8", 1); | ||
+} | ||
+Q_CONSTRUCTOR_FUNCTION(initLocale) | ||
+#endif | ||
+ | ||
+ | ||
void KTextToHTMLTest::testGetEmailAddress() | ||
{ | ||
// empty input | ||
@@ -372,6 +381,11 @@ void KTextToHTMLTest::testHtmlConvert_data() | ||
QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)" | ||
<< KTextToHTML::Options(KTextToHTML::PreserveSpaces) | ||
<< "bla (<a href=\"http://www.kde.org\">http://www.kde.org</a> - section 5.2)"; | ||
+ | ||
+ // Fix url as foo <<url> <url>> when we concatened them. | ||
+ QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" | ||
+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) | ||
+ << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>"; | ||
} | ||
|
||
|
||
diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp | ||
index 8ed923d..b181f56 100644 | ||
--- a/src/lib/text/ktexttohtml.cpp | ||
+++ b/src/lib/text/ktexttohtml.cpp | ||
@@ -228,11 +228,19 @@ QString KTextToHTMLHelper::getUrl() | ||
|
||
url.reserve(mMaxUrlLen); // avoid allocs | ||
int start = mPos; | ||
+ bool previousCharIsSpace = false; | ||
while ((mPos < mText.length()) && | ||
(mText[mPos].isPrint() || mText[mPos].isSpace()) && | ||
((afterUrl.isNull() && !mText[mPos].isSpace()) || | ||
(!afterUrl.isNull() && mText[mPos] != afterUrl))) { | ||
- if (!mText[mPos].isSpace()) { // skip whitespace | ||
+ if (mText[mPos].isSpace()) { | ||
+ previousCharIsSpace = true; | ||
+ } else { // skip whitespace | ||
+ if (previousCharIsSpace && mText[mPos] == QLatin1Char('<')) { | ||
+ url.append(QLatin1Char(' ')); | ||
+ break; | ||
+ } | ||
+ previousCharIsSpace = false; | ||
url.append(mText[mPos]); | ||
if (url.length() > mMaxUrlLen) { | ||
break; | ||
@@ -267,7 +275,6 @@ QString KTextToHTMLHelper::getUrl() | ||
} | ||
} while (url.length() > 1); | ||
} | ||
- | ||
return url; | ||
} | ||
|
||
@@ -334,6 +341,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: | ||
QChar ch; | ||
int x; | ||
bool startOfLine = true; | ||
+ //qDebug()<<" plainText"<<plainText; | ||
|
||
for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length(); | ||
++helper.mPos, ++x) { | ||
@@ -402,6 +410,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: | ||
const int start = helper.mPos; | ||
if (!(flags & IgnoreUrls)) { | ||
str = helper.getUrl(); | ||
+ //qDebug()<<" str"<<str; | ||
if (!str.isEmpty()) { | ||
QString hyperlink; | ||
if (str.left(4) == QLatin1String("www.")) { | ||
@@ -455,6 +464,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: | ||
|
||
result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude); | ||
} | ||
+ //qDebug()<<" result "<<result; | ||
|
||
return result; | ||
} | ||
-- | ||
2.7.3 | ||
|
||
From aa9281b7f95ce970603645d79f6f275d1ae7d2ed Mon Sep 17 00:00:00 2001 | ||
From: Montel Laurent <[email protected]> | ||
Date: Fri, 30 Sep 2016 13:21:45 +0200 | ||
Subject: [PATCH 2/2] Don't convert as url an url which has a " | ||
|
||
--- | ||
autotests/ktexttohtmltest.cpp | 6 ++++++ | ||
src/lib/text/ktexttohtml.cpp | 25 +++++++++++++++++++------ | ||
src/lib/text/ktexttohtml_p.h | 2 +- | ||
3 files changed, 26 insertions(+), 7 deletions(-) | ||
|
||
diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp | ||
index 8fc0c56..c5690e8 100644 | ||
--- a/autotests/ktexttohtmltest.cpp | ||
+++ b/autotests/ktexttohtmltest.cpp | ||
@@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_data() | ||
QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" | ||
<< KTextToHTML::Options(KTextToHTML::PreserveSpaces) | ||
<< "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\">http://www.kde.org/</a>>>"; | ||
+ | ||
+ //Fix url exploit | ||
+ QTest::newRow("url-exec-html") << "https://\"><!--" | ||
+ << KTextToHTML::Options(KTextToHTML::PreserveSpaces) | ||
+ << "https://\"><!--"; | ||
+ | ||
} | ||
|
||
|
||
diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp | ||
index b181f56..09b2483 100644 | ||
--- a/src/lib/text/ktexttohtml.cpp | ||
+++ b/src/lib/text/ktexttohtml.cpp | ||
@@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl() | ||
(allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) { | ||
return false; | ||
} | ||
- | ||
QChar ch = mText[mPos]; | ||
return | ||
(ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://") || | ||
@@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const QString &url) | ||
url == QLatin1String("news://"); | ||
} | ||
|
||
-QString KTextToHTMLHelper::getUrl() | ||
+QString KTextToHTMLHelper::getUrl(bool *badurl) | ||
{ | ||
QString url; | ||
if (atUrl()) { | ||
@@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl() | ||
url.reserve(mMaxUrlLen); // avoid allocs | ||
int start = mPos; | ||
bool previousCharIsSpace = false; | ||
+ bool previousCharIsADoubleQuote = false; | ||
while ((mPos < mText.length()) && | ||
(mText[mPos].isPrint() || mText[mPos].isSpace()) && | ||
((afterUrl.isNull() && !mText[mPos].isSpace()) || | ||
@@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl() | ||
break; | ||
} | ||
previousCharIsSpace = false; | ||
+ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { | ||
+ //it's an invalid url | ||
+ if (badurl) { | ||
+ *badurl = true; | ||
+ } | ||
+ return QString(); | ||
+ } | ||
+ if (mText[mPos] == QLatin1Char('"')) { | ||
+ previousCharIsADoubleQuote = true; | ||
+ } else { | ||
+ previousCharIsADoubleQuote = false; | ||
+ } | ||
url.append(mText[mPos]); | ||
if (url.length() > mMaxUrlLen) { | ||
break; | ||
@@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: | ||
QChar ch; | ||
int x; | ||
bool startOfLine = true; | ||
- //qDebug()<<" plainText"<<plainText; | ||
|
||
for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length(); | ||
++helper.mPos, ++x) { | ||
@@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: | ||
} else { | ||
const int start = helper.mPos; | ||
if (!(flags & IgnoreUrls)) { | ||
- str = helper.getUrl(); | ||
- //qDebug()<<" str"<<str; | ||
+ bool badUrl = false; | ||
+ str = helper.getUrl(&badUrl); | ||
+ if (badUrl) { | ||
+ return helper.mText; | ||
+ } | ||
if (!str.isEmpty()) { | ||
QString hyperlink; | ||
if (str.left(4) == QLatin1String("www.")) { | ||
@@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: | ||
|
||
result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude); | ||
} | ||
- //qDebug()<<" result "<<result; | ||
|
||
return result; | ||
} | ||
diff --git a/src/lib/text/ktexttohtml_p.h b/src/lib/text/ktexttohtml_p.h | ||
index 74ad7a0..fc43613 100644 | ||
--- a/src/lib/text/ktexttohtml_p.h | ||
+++ b/src/lib/text/ktexttohtml_p.h | ||
@@ -49,7 +49,7 @@ public: | ||
QString getEmailAddress(); | ||
bool atUrl(); | ||
bool isEmptyUrl(const QString &url); | ||
- QString getUrl(); | ||
+ QString getUrl(bool *badurl = Q_NULLPTR); | ||
QString pngToDataUrl(const QString &pngPath); | ||
QString highlightedText(); | ||
|
||
-- | ||
2.7.3 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters