Bug#479644: CVE-2008-1025

To: 479644@bugs.debian.org
Subject: Bug#479644: CVE-2008-1025
From: Steffen Joeris <steffen.joeris@skolelinux.de>
Date: Fri, 9 May 2008 00:12:54 +1000
Message-id: <[🔎] 200805090012.54431.steffen.joeris@skolelinux.de>
Reply-to: Steffen Joeris <steffen.joeris@skolelinux.de>, 479644@bugs.debian.org

Hi folks

I am trying around to get the patch for qt4-x11 working for sid.
I will attach a current patch, but it might still need some adjustment, since 
I am not sure, if I missed anything.

Cheers
Steffen

diff -ur ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp
--- ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp	2008-04-04 08:40:58.000000000 +0000
+++ qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp	2008-05-08 10:26:28.000000000 +0000
@@ -4389,6 +4389,11 @@
     return m_client->blockedError(request);
 }
 
+ResourceError FrameLoader::cannotShowURLError(const ResourceRequest& request) const 
+{
+    return m_client->cannotShowURLError(request); 
+}
+
 ResourceError FrameLoader::fileDoesNotExistError(const ResourceResponse& response) const
 {
     return m_client->fileDoesNotExistError(response);    
diff -ur ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/FrameLoader.h qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/FrameLoader.h
--- ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/FrameLoader.h	2008-04-04 08:40:58.000000000 +0000
+++ qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/FrameLoader.h	2008-05-08 10:26:28.000000000 +0000
@@ -215,6 +215,7 @@
         ResourceError cancelledError(const ResourceRequest&) const;
         ResourceError fileDoesNotExistError(const ResourceResponse&) const;
         ResourceError blockedError(const ResourceRequest&) const;
+	ResourceError cannotShowURLError(const ResourceRequest&) const;
         bool willUseArchive(ResourceLoader*, const ResourceRequest&, const KURL&) const;
         bool isArchiveLoadPending(ResourceLoader*) const;
         void cannotShowMIMEType(const ResourceResponse&);
diff -ur ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/ResourceLoader.cpp qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/ResourceLoader.cpp
--- ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/ResourceLoader.cpp	2008-04-04 08:40:58.000000000 +0000
+++ qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/ResourceLoader.cpp	2008-05-08 10:26:28.000000000 +0000
@@ -176,6 +176,11 @@
         m_resourceData->clear();
 }
 
+ResourceError ResourceLoader::cannotShowURLError() 
+{
+    return frameLoader()->cannotShowURLError(m_request); 
+}
+
 void ResourceLoader::willSendRequest(ResourceRequest& request, const ResourceResponse& redirectResponse)
 {
     // Protect this in this delegate method since the additional processing can do
@@ -280,11 +285,6 @@
     releaseResources();
 }
 
-void ResourceLoader::wasBlocked()
-{
-    didFail(blockedError());
-}
-
 void ResourceLoader::didCancel(const ResourceError& error)
 {
     ASSERT(!m_cancelled);
@@ -368,7 +368,12 @@
 
 void ResourceLoader::wasBlocked(ResourceHandle*)
 {
-    wasBlocked();
+    didFail(blockedError());
+}
+
+void ResourceLoader::cannotShowURL(ResourceHandle*) 
+{
+    didFail(cannotShowURLError()); 
 }
 
 void ResourceLoader::didReceiveAuthenticationChallenge(const AuthenticationChallenge& challenge)
diff -ur ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/ResourceLoader.h qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/ResourceLoader.h
--- ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/ResourceLoader.h	2008-04-04 08:40:58.000000000 +0000
+++ qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/loader/ResourceLoader.h	2008-05-08 10:26:28.000000000 +0000
@@ -61,6 +61,7 @@
         virtual void cancel(const ResourceError&);
         ResourceError cancelledError();
         ResourceError blockedError();
+	ResourceError cannotShowURLError(); 
         
         virtual void setDefersLoading(bool);
 
@@ -80,7 +81,6 @@
         void willStopBufferingData(const char*, int);
         virtual void didFinishLoading();
         virtual void didFail(const ResourceError&);
-        virtual void wasBlocked();
 
         void didReceiveAuthenticationChallenge(const AuthenticationChallenge&);
         void didCancelAuthenticationChallenge(const AuthenticationChallenge&);
@@ -93,6 +93,7 @@
         virtual void didFinishLoading(ResourceHandle*);
         virtual void didFail(ResourceHandle*, const ResourceError&);
         virtual void wasBlocked(ResourceHandle*);
+	virtual void cannotShowURL(ResourceHandle*); 
         virtual void willStopBufferingData(ResourceHandle*, const char* data, int length) { willStopBufferingData(data, length); } 
         virtual void didReceiveAuthenticationChallenge(ResourceHandle*, const AuthenticationChallenge& challenge) { didReceiveAuthenticationChallenge(challenge); } 
         virtual void didCancelAuthenticationChallenge(ResourceHandle*, const AuthenticationChallenge& challenge) { didCancelAuthenticationChallenge(challenge); } 
diff -ur ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/KURL.h qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/KURL.h
--- ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/KURL.h	2008-04-04 08:40:59.000000000 +0000
+++ qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/KURL.h	2008-05-08 10:26:28.000000000 +0000
@@ -74,6 +74,7 @@
     KURL(const QUrl&);
 #endif
     bool isEmpty() const { return urlString.isEmpty(); } 
+    bool isValid() const { return m_isValid; } 
     bool hasPath() const;
 
     DeprecatedString url() const { return urlString; }
diff -ur ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandle.cpp qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandle.cpp
--- ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandle.cpp	2008-04-04 08:40:59.000000000 +0000
+++ qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandle.cpp	2008-05-08 10:26:28.000000000 +0000
@@ -34,6 +34,8 @@
 
 namespace WebCore {
 
+static bool portAllowed(const ResourceRequest&); 
+
 ResourceHandle::ResourceHandle(const ResourceRequest& request, ResourceHandleClient* client, bool defersLoading,
          bool shouldContentSniff, bool mightDownloadFromHandle)
     : d(new ResourceHandleInternal(this, request, client, defersLoading, shouldContentSniff, mightDownloadFromHandle))
@@ -45,8 +47,13 @@
 {
     RefPtr<ResourceHandle> newHandle(new ResourceHandle(request, client, defersLoading, shouldContentSniff, mightDownloadFromHandle));
 
+    if (!request.url().isValid()) {
+            newHandle->scheduleFailure(InvalidURLFailure);
+	    return newHandle.release();
+    }
+    
     if (!portAllowed(request)) {
-        newHandle->scheduleBlockedFailure();
+	newHandle->scheduleFailure(BlockedFailure); 
         return newHandle.release();
     }
         
@@ -56,17 +63,27 @@
     return 0;
 }
 
-void ResourceHandle::scheduleBlockedFailure()
+void ResourceHandle::scheduleFailure(FailureType type) 
 {
-    Timer<ResourceHandle>* blockedTimer = new Timer<ResourceHandle>(this, &ResourceHandle::fireBlockedFailure);
-    blockedTimer->startOneShot(0);
+    d->m_failureType = type;
+    d->m_failureTimer.startOneShot(0);
 }
 
-void ResourceHandle::fireBlockedFailure(Timer<ResourceHandle>* timer)
+void ResourceHandle::fireFailure(Timer<ResourceHandle>*) 
 {
-    if (client())
-        client()->wasBlocked(this);
-    delete timer;
+    if (!client())
+    	return;
+
+    switch (d->m_failureType) {
+        case BlockedFailure:
+            client()->wasBlocked(this);
+            return;
+        case InvalidURLFailure:
+            client()->cannotShowURL(this);
+            return;
+    }
+
+    ASSERT_NOT_REACHED();
 }
 
 ResourceHandleClient* ResourceHandle::client() const
@@ -94,7 +111,7 @@
     d->m_currentWebChallenge.nullify();
 }
 
-bool ResourceHandle::portAllowed(const ResourceRequest& request)
+static bool portAllowed(const ResourceRequest& request) 
 {
     unsigned short port = request.url().port();
 
diff -ur ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandle.h qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandle.h
--- ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandle.h	2008-04-04 08:40:59.000000000 +0000
+++ qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandle.h	2008-05-08 10:26:28.000000000 +0000
@@ -89,6 +89,11 @@
 private:
     ResourceHandle(const ResourceRequest&, ResourceHandleClient*, bool defersLoading, bool shouldContentSniff, bool mightDownloadFromHandle);
 
+    enum FailureType {
+        BlockedFailure,
+        InvalidURLFailure
+    };
+
 public:
     // FIXME: should not need the Frame
     static PassRefPtr<ResourceHandle> create(const ResourceRequest&, ResourceHandleClient*, Frame*, bool defersLoading, bool shouldContentSniff, bool mightDownloadFromHandle = false);
@@ -152,15 +157,14 @@
       
     const ResourceRequest& request() const;
 
-    void fireBlockedFailure(Timer<ResourceHandle>*);
+    void fireFailure(Timer<ResourceHandle>*);
 
 private:
-    static bool portAllowed(const ResourceRequest&);
-    
-    void scheduleBlockedFailure();
+    void scheduleFailure(FailureType); 
 
     bool start(Frame*);
-        
+    
+    friend class ResourceHandleInternal;        
     OwnPtr<ResourceHandleInternal> d;
 };
 
diff -ur ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandleClient.h qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandleClient.h
--- ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandleClient.h	2008-04-04 08:40:59.000000000 +0000
+++ qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandleClient.h	2008-05-08 10:26:28.000000000 +0000
@@ -70,6 +70,7 @@
         virtual void didFinishLoading(ResourceHandle*) { }
         virtual void didFail(ResourceHandle*, const ResourceError&) { }
         virtual void wasBlocked(ResourceHandle*) { }
+	virtual void cannotShowURL(ResourceHandle*) { } 
 
         virtual void willCacheResponse(ResourceHandle*, CacheStoragePolicy&) { }
 
diff -ur ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandleInternal.h qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandleInternal.h
--- ../old/qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandleInternal.h	2008-04-04 08:40:59.000000000 +0000
+++ qt4-x11-4.4.0~rc1/src/3rdparty/webkit/WebCore/platform/network/ResourceHandleInternal.h	2008-05-08 10:28:00.000000000 +0000
@@ -27,6 +27,7 @@
 #ifndef ResourceHandleInternal_h
 #define ResourceHandleInternal_h
 
+#include "ResourceHandle.h"
 #include "ResourceRequest.h"
 #include "AuthenticationChallenge.h"
 
@@ -108,7 +109,8 @@
 #elif USE(CFNETWORK)
             , m_currentCFChallenge(0)
 #endif
-        {
+            , m_failureTimer(loader, &ResourceHandle::fireFailure)
+	{
         }
         
         ~ResourceHandleInternal();
@@ -168,6 +170,8 @@
         CFURLAuthChallengeRef m_currentCFChallenge;
 #endif
         AuthenticationChallenge m_currentWebChallenge;
+	ResourceHandle::FailureType m_failureType;
+        Timer<ResourceHandle> m_failureTimer;
     };
 
 } // namespace WebCore

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply to:

Prev by Date: Bug#480051: I guess compiz is to blame.
Next by Date: Processed: pending
Previous by thread: Bug#480051: I guess compiz is to blame.
Next by thread: Processed: pending
Index(es):
- Date
- Thread