| 1 |
reavertm 10/05/10 22:08:32 |
| 2 |
|
| 3 |
Added: kget-4.4.3_CVE-2010-1000.patch |
| 4 |
Log: |
| 5 |
CVE-2010-1000 |
| 6 |
(Portage version: 2.2_rc67/cvs/Linux x86_64) |
| 7 |
|
| 8 |
Revision Changes Path |
| 9 |
1.1 kde-base/kget/files/kget-4.4.3_CVE-2010-1000.patch |
| 10 |
|
| 11 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/kde-base/kget/files/kget-4.4.3_CVE-2010-1000.patch?rev=1.1&view=markup |
| 12 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/kde-base/kget/files/kget-4.4.3_CVE-2010-1000.patch?rev=1.1&content-type=text/plain |
| 13 |
|
| 14 |
Index: kget-4.4.3_CVE-2010-1000.patch |
| 15 |
=================================================================== |
| 16 |
diff --git a/kget/transfer-plugins/metalink/metalink.cpp b/kget/transfer-plugins/metalink/metalink.cpp |
| 17 |
index 605d4e1..c7d5d75 100644 |
| 18 |
--- a/kget/transfer-plugins/metalink/metalink.cpp |
| 19 |
+++ b/kget/transfer-plugins/metalink/metalink.cpp |
| 20 |
@@ -99,6 +99,7 @@ void Metalink::start() |
| 21 |
void Metalink::metalinkInit(const KUrl &src, const QByteArray &data) |
| 22 |
{ |
| 23 |
kDebug(5001); |
| 24 |
+ |
| 25 |
bool justDownloaded = !m_localMetalinkLocation.isValid(); |
| 26 |
if (!src.isEmpty()) |
| 27 |
{ |
| 28 |
@@ -121,7 +122,9 @@ void Metalink::metalinkInit(const KUrl &src, const QByteArray &data) |
| 29 |
//error |
| 30 |
if (!m_metalink.isValid()) |
| 31 |
{ |
| 32 |
- kDebug(5001) << "Unknown error when trying to load the .metalink-file"; |
| 33 |
+ kError(5001) << "Unknown error when trying to load the .metalink-file. Metalink is not valid."; |
| 34 |
+ setStatus(Job::Aborted); |
| 35 |
+ setTransferChange(Tc_Status, true); |
| 36 |
return; |
| 37 |
} |
| 38 |
|
| 39 |
@@ -202,7 +205,7 @@ void Metalink::metalinkInit(const KUrl &src, const QByteArray &data) |
| 40 |
if (!m_dataSourceFactory.size()) |
| 41 |
{ |
| 42 |
KMessageBox::error(0, i18n("Download failed, no working URLs were found."), i18n("Error")); |
| 43 |
- setStatus(Job::Aborted, i18n("An error occurred...."), SmallIcon("document-preview")); |
| 44 |
+ setStatus(Job::Aborted); |
| 45 |
setTransferChange(Tc_Status, true); |
| 46 |
return; |
| 47 |
} |
| 48 |
@@ -227,16 +230,29 @@ void Metalink::metalinkInit(const KUrl &src, const QByteArray &data) |
| 49 |
ui.treeView->hideColumn(FileItem::SignatureVerified); |
| 50 |
dialog->setMainWidget(widget); |
| 51 |
dialog->setCaption(i18n("File Selection")); |
| 52 |
- dialog->setButtons(KDialog::Ok); |
| 53 |
- connect(dialog, SIGNAL(finished()), this, SLOT(filesSelected())); |
| 54 |
+ dialog->setButtons(KDialog::Ok | KDialog::Cancel); |
| 55 |
+ connect(dialog, SIGNAL(finished(int)), this, SLOT(fileDlgFinished(int))); |
| 56 |
|
| 57 |
dialog->show(); |
| 58 |
} |
| 59 |
} |
| 60 |
|
| 61 |
-void Metalink::filesSelected() |
| 62 |
+void Metalink::fileDlgFinished(int result) |
| 63 |
{ |
| 64 |
+ //BEGIN HACK if the dialog was not accepted untick every file, so that the download does not start |
| 65 |
+ //generally setStatus should do the job as well, but does not as it appears |
| 66 |
+ if (result != QDialog::Accepted) { |
| 67 |
+ for (int row = 0; row < fileModel()->rowCount(); ++row) { |
| 68 |
+ QModelIndex index = fileModel()->index(row, FileItem::File); |
| 69 |
+ if (index.isValid()) { |
| 70 |
+ fileModel()->setData(index, Qt::Unchecked, Qt::CheckStateRole); |
| 71 |
+ } |
| 72 |
+ } |
| 73 |
+ } |
| 74 |
+ //END |
| 75 |
+ |
| 76 |
QModelIndexList files = fileModel()->fileIndexes(FileItem::File); |
| 77 |
+ int numFilesSelected = 0; |
| 78 |
foreach (const QModelIndex &index, files) |
| 79 |
{ |
| 80 |
const KUrl dest = fileModel()->getUrl(index); |
| 81 |
@@ -244,6 +260,9 @@ void Metalink::filesSelected() |
| 82 |
if (m_dataSourceFactory.contains(dest)) |
| 83 |
{ |
| 84 |
m_dataSourceFactory[dest]->setDoDownload(doDownload); |
| 85 |
+ if (doDownload) { |
| 86 |
+ ++numFilesSelected; |
| 87 |
+ } |
| 88 |
} |
| 89 |
} |
| 90 |
|
| 91 |
@@ -252,9 +271,15 @@ void Metalink::filesSelected() |
| 92 |
processedSizeChanged(); |
| 93 |
speedChanged(); |
| 94 |
|
| 95 |
+ //no files selected to download or dialog rejected, stop the download |
| 96 |
+ if (!numFilesSelected || (result != QDialog::Accepted)) { |
| 97 |
+ setStatus(Job::Stopped);//FIXME |
| 98 |
+ setTransferChange(Tc_Status, true); |
| 99 |
+ return; |
| 100 |
+ } |
| 101 |
+ |
| 102 |
//some files may be set to download, so start them as long as the transfer is not stopped |
| 103 |
- if (status() != Job::Stopped) |
| 104 |
- { |
| 105 |
+ if (status() != Job::Stopped) { |
| 106 |
startMetalink(); |
| 107 |
} |
| 108 |
} |
| 109 |
diff --git a/kget/transfer-plugins/metalink/metalink.h b/kget/transfer-plugins/metalink/metalink.h |
| 110 |
index 41988cb..15e8698 100644 |
| 111 |
--- a/kget/transfer-plugins/metalink/metalink.h |
| 112 |
+++ b/kget/transfer-plugins/metalink/metalink.h |
| 113 |
@@ -81,7 +81,7 @@ class Metalink : public Transfer |
| 114 |
|
| 115 |
private Q_SLOTS: |
| 116 |
void metalinkInit(const KUrl &url = KUrl(), const QByteArray &data = QByteArray()); |
| 117 |
- void filesSelected(); |
| 118 |
+ void fileDlgFinished(int result); |
| 119 |
void totalSizeChanged(KIO::filesize_t size); |
| 120 |
void processedSizeChanged(); |
| 121 |
void speedChanged(); |
| 122 |
diff --git a/kget/ui/metalinkcreator/metalinker.cpp b/kget/ui/metalinkcreator/metalinker.cpp |
| 123 |
index 9487c6f..019b571 100644 |
| 124 |
--- a/kget/ui/metalinkcreator/metalinker.cpp |
| 125 |
+++ b/kget/ui/metalinkcreator/metalinker.cpp |
| 126 |
@@ -528,14 +528,14 @@ void KGetMetalink::Verification::clear() |
| 127 |
|
| 128 |
bool KGetMetalink::File::isValid() const |
| 129 |
{ |
| 130 |
- return !name.isEmpty() && resources.isValid(); |
| 131 |
+ return isValidNameAttribute() && resources.isValid(); |
| 132 |
} |
| 133 |
|
| 134 |
void KGetMetalink::File::load(const QDomElement &e) |
| 135 |
{ |
| 136 |
data.load(e); |
| 137 |
|
| 138 |
- name = e.attribute("name"); |
| 139 |
+ name = QUrl::fromPercentEncoding(e.attribute("name").toAscii()); |
| 140 |
size = e.firstChildElement("size").text().toULongLong(); |
| 141 |
|
| 142 |
verification.load(e); |
| 143 |
@@ -575,6 +575,22 @@ void KGetMetalink::File::clear() |
| 144 |
resources.clear(); |
| 145 |
} |
| 146 |
|
| 147 |
+ |
| 148 |
+bool KGetMetalink::File::isValidNameAttribute() const |
| 149 |
+{ |
| 150 |
+ if (name.isEmpty()) { |
| 151 |
+ kError(5001) << "Name attribute of Metalink::File is empty."; |
| 152 |
+ return false; |
| 153 |
+ } |
| 154 |
+ |
| 155 |
+ if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) { |
| 156 |
+ kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name; |
| 157 |
+ return false; |
| 158 |
+ } |
| 159 |
+ |
| 160 |
+ return true; |
| 161 |
+} |
| 162 |
+ |
| 163 |
#ifdef HAVE_NEPOMUK |
| 164 |
QHash<QUrl, Nepomuk::Variant> KGetMetalink::File::properties() const |
| 165 |
{ |
| 166 |
@@ -584,13 +600,28 @@ QHash<QUrl, Nepomuk::Variant> KGetMetalink::File::properties() const |
| 167 |
|
| 168 |
bool KGetMetalink::Files::isValid() const |
| 169 |
{ |
| 170 |
- bool isValid = !files.empty(); |
| 171 |
- foreach (const File &file, files) |
| 172 |
- { |
| 173 |
- isValid &= file.isValid(); |
| 174 |
+ if (files.isEmpty()) { |
| 175 |
+ return false; |
| 176 |
} |
| 177 |
|
| 178 |
- return isValid; |
| 179 |
+ QStringList fileNames; |
| 180 |
+ foreach (const File &file, files) { |
| 181 |
+ fileNames << file.name; |
| 182 |
+ if (!file.isValid()) { |
| 183 |
+ return false; |
| 184 |
+ } |
| 185 |
+ } |
| 186 |
+ |
| 187 |
+ //The value of name must be unique for each file |
| 188 |
+ while (!fileNames.isEmpty()) { |
| 189 |
+ const QString fileName = fileNames.takeFirst(); |
| 190 |
+ if (fileNames.contains(fileName)) { |
| 191 |
+ kError(5001) << "Metalink::File name" << fileName << "exists multiple times."; |
| 192 |
+ return false; |
| 193 |
+ } |
| 194 |
+ } |
| 195 |
+ |
| 196 |
+ return true; |
| 197 |
} |
| 198 |
|
| 199 |
void KGetMetalink::Files::load(const QDomElement &e) |
| 200 |
@@ -751,7 +782,7 @@ void KGetMetalink::Metalink_v3::parseFiles(const QDomElement &e) |
| 201 |
|
| 202 |
for (QDomElement elem = filesElem.firstChildElement("file"); !elem.isNull(); elem = elem.nextSiblingElement("file")) { |
| 203 |
File file; |
| 204 |
- file.name = elem.attribute("name"); |
| 205 |
+ file.name = QUrl::fromPercentEncoding(elem.attribute("name").toAscii()); |
| 206 |
file.size = elem.firstChildElement("size").text().toULongLong(); |
| 207 |
|
| 208 |
file.data = parseCommonData(elem); |
| 209 |
diff --git a/kget/ui/metalinkcreator/metalinker.h b/kget/ui/metalinkcreator/metalinker.h |
| 210 |
index 36b5b82..867d1a7 100644 |
| 211 |
--- a/kget/ui/metalinkcreator/metalinker.h |
| 212 |
+++ b/kget/ui/metalinkcreator/metalinker.h |
| 213 |
@@ -259,6 +259,14 @@ class File |
| 214 |
KIO::filesize_t size; |
| 215 |
CommonData data; |
| 216 |
Resources resources; |
| 217 |
+ |
| 218 |
+ private: |
| 219 |
+ /** |
| 220 |
+ * Controlls if the name attribute is valid, i.e. it is not empty and |
| 221 |
+ * does not contain any directory traversal directives or information, |
| 222 |
+ * as described in the Metalink 4.0 specification 4.1.2.1. |
| 223 |
+ */ |
| 224 |
+ bool isValidNameAttribute() const; |
| 225 |
}; |
| 226 |
|
| 227 |
class Files |
Archives