summaryrefslogtreecommitdiffstats
path: root/opensuse/tdelibs/kdelibs-3.5.10-cve-2009-1698.patch
blob: ab9fea5c2b98c13878a2030153bf267da45dcac0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
diff -ur kdelibs-3.5.10/khtml/css/cssparser.cpp kdelibs-3.5.10-cve-2009-1698/khtml/css/cssparser.cpp
--- kdelibs-3.5.10/khtml/css/cssparser.cpp	2007-01-15 12:34:04.000000000 +0100
+++ kdelibs-3.5.10-cve-2009-1698/khtml/css/cssparser.cpp	2009-07-26 05:46:39.000000000 +0200
@@ -1344,6 +1344,14 @@
                 if ( args->size() != 1)
                     return false;
                 Value *a = args->current();
+                if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
+                    isValid=false;
+                    break;
+                }
+                if (qString(a->string)[0] == '-') {
+                    isValid=false;
+                    break;
+                }
                 parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
             }
             else
@@ -1396,7 +1404,8 @@
 
     CounterImpl *counter = new CounterImpl;
     Value *i = args->current();
-//    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+    if (qString(i->string)[0] == '-') goto invalid;
     counter->m_identifier = domString(i->string);
     if (counters) {
         i = args->next();
diff -ur kdelibs-3.5.10/khtml/css/css_valueimpl.cpp kdelibs-3.5.10-cve-2009-1698/khtml/css/css_valueimpl.cpp
--- kdelibs-3.5.10/khtml/css/css_valueimpl.cpp	2006-07-22 10:16:49.000000000 +0200
+++ kdelibs-3.5.10-cve-2009-1698/khtml/css/css_valueimpl.cpp	2009-07-26 05:45:36.000000000 +0200
@@ -736,7 +736,9 @@
 	    text = getValueName(m_value.ident);
 	    break;
 	case CSSPrimitiveValue::CSS_ATTR:
-	    // ###
+            text = "attr(";
+            text += DOMString( m_value.string );
+            text += ")";
 	    break;
 	case CSSPrimitiveValue::CSS_COUNTER:
             text = "counter(";