1 |
reavertm 10/05/10 22:08:32 |
2 |
|
3 |
Added: kget-4.4.3_CVE-2010-1000.patch |
4 |
Log: |
5 |
CVE-2010-1000 |
6 |
(Portage version: 2.2_rc67/cvs/Linux x86_64) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 kde-base/kget/files/kget-4.4.3_CVE-2010-1000.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/kde-base/kget/files/kget-4.4.3_CVE-2010-1000.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/kde-base/kget/files/kget-4.4.3_CVE-2010-1000.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: kget-4.4.3_CVE-2010-1000.patch |
15 |
=================================================================== |
16 |
diff --git a/kget/transfer-plugins/metalink/metalink.cpp b/kget/transfer-plugins/metalink/metalink.cpp |
17 |
index 605d4e1..c7d5d75 100644 |
18 |
--- a/kget/transfer-plugins/metalink/metalink.cpp |
19 |
+++ b/kget/transfer-plugins/metalink/metalink.cpp |
20 |
@@ -99,6 +99,7 @@ void Metalink::start() |
21 |
void Metalink::metalinkInit(const KUrl &src, const QByteArray &data) |
22 |
{ |
23 |
kDebug(5001); |
24 |
+ |
25 |
bool justDownloaded = !m_localMetalinkLocation.isValid(); |
26 |
if (!src.isEmpty()) |
27 |
{ |
28 |
@@ -121,7 +122,9 @@ void Metalink::metalinkInit(const KUrl &src, const QByteArray &data) |
29 |
//error |
30 |
if (!m_metalink.isValid()) |
31 |
{ |
32 |
- kDebug(5001) << "Unknown error when trying to load the .metalink-file"; |
33 |
+ kError(5001) << "Unknown error when trying to load the .metalink-file. Metalink is not valid."; |
34 |
+ setStatus(Job::Aborted); |
35 |
+ setTransferChange(Tc_Status, true); |
36 |
return; |
37 |
} |
38 |
|
39 |
@@ -202,7 +205,7 @@ void Metalink::metalinkInit(const KUrl &src, const QByteArray &data) |
40 |
if (!m_dataSourceFactory.size()) |
41 |
{ |
42 |
KMessageBox::error(0, i18n("Download failed, no working URLs were found."), i18n("Error")); |
43 |
- setStatus(Job::Aborted, i18n("An error occurred...."), SmallIcon("document-preview")); |
44 |
+ setStatus(Job::Aborted); |
45 |
setTransferChange(Tc_Status, true); |
46 |
return; |
47 |
} |
48 |
@@ -227,16 +230,29 @@ void Metalink::metalinkInit(const KUrl &src, const QByteArray &data) |
49 |
ui.treeView->hideColumn(FileItem::SignatureVerified); |
50 |
dialog->setMainWidget(widget); |
51 |
dialog->setCaption(i18n("File Selection")); |
52 |
- dialog->setButtons(KDialog::Ok); |
53 |
- connect(dialog, SIGNAL(finished()), this, SLOT(filesSelected())); |
54 |
+ dialog->setButtons(KDialog::Ok | KDialog::Cancel); |
55 |
+ connect(dialog, SIGNAL(finished(int)), this, SLOT(fileDlgFinished(int))); |
56 |
|
57 |
dialog->show(); |
58 |
} |
59 |
} |
60 |
|
61 |
-void Metalink::filesSelected() |
62 |
+void Metalink::fileDlgFinished(int result) |
63 |
{ |
64 |
+ //BEGIN HACK if the dialog was not accepted untick every file, so that the download does not start |
65 |
+ //generally setStatus should do the job as well, but does not as it appears |
66 |
+ if (result != QDialog::Accepted) { |
67 |
+ for (int row = 0; row < fileModel()->rowCount(); ++row) { |
68 |
+ QModelIndex index = fileModel()->index(row, FileItem::File); |
69 |
+ if (index.isValid()) { |
70 |
+ fileModel()->setData(index, Qt::Unchecked, Qt::CheckStateRole); |
71 |
+ } |
72 |
+ } |
73 |
+ } |
74 |
+ //END |
75 |
+ |
76 |
QModelIndexList files = fileModel()->fileIndexes(FileItem::File); |
77 |
+ int numFilesSelected = 0; |
78 |
foreach (const QModelIndex &index, files) |
79 |
{ |
80 |
const KUrl dest = fileModel()->getUrl(index); |
81 |
@@ -244,6 +260,9 @@ void Metalink::filesSelected() |
82 |
if (m_dataSourceFactory.contains(dest)) |
83 |
{ |
84 |
m_dataSourceFactory[dest]->setDoDownload(doDownload); |
85 |
+ if (doDownload) { |
86 |
+ ++numFilesSelected; |
87 |
+ } |
88 |
} |
89 |
} |
90 |
|
91 |
@@ -252,9 +271,15 @@ void Metalink::filesSelected() |
92 |
processedSizeChanged(); |
93 |
speedChanged(); |
94 |
|
95 |
+ //no files selected to download or dialog rejected, stop the download |
96 |
+ if (!numFilesSelected || (result != QDialog::Accepted)) { |
97 |
+ setStatus(Job::Stopped);//FIXME |
98 |
+ setTransferChange(Tc_Status, true); |
99 |
+ return; |
100 |
+ } |
101 |
+ |
102 |
//some files may be set to download, so start them as long as the transfer is not stopped |
103 |
- if (status() != Job::Stopped) |
104 |
- { |
105 |
+ if (status() != Job::Stopped) { |
106 |
startMetalink(); |
107 |
} |
108 |
} |
109 |
diff --git a/kget/transfer-plugins/metalink/metalink.h b/kget/transfer-plugins/metalink/metalink.h |
110 |
index 41988cb..15e8698 100644 |
111 |
--- a/kget/transfer-plugins/metalink/metalink.h |
112 |
+++ b/kget/transfer-plugins/metalink/metalink.h |
113 |
@@ -81,7 +81,7 @@ class Metalink : public Transfer |
114 |
|
115 |
private Q_SLOTS: |
116 |
void metalinkInit(const KUrl &url = KUrl(), const QByteArray &data = QByteArray()); |
117 |
- void filesSelected(); |
118 |
+ void fileDlgFinished(int result); |
119 |
void totalSizeChanged(KIO::filesize_t size); |
120 |
void processedSizeChanged(); |
121 |
void speedChanged(); |
122 |
diff --git a/kget/ui/metalinkcreator/metalinker.cpp b/kget/ui/metalinkcreator/metalinker.cpp |
123 |
index 9487c6f..019b571 100644 |
124 |
--- a/kget/ui/metalinkcreator/metalinker.cpp |
125 |
+++ b/kget/ui/metalinkcreator/metalinker.cpp |
126 |
@@ -528,14 +528,14 @@ void KGetMetalink::Verification::clear() |
127 |
|
128 |
bool KGetMetalink::File::isValid() const |
129 |
{ |
130 |
- return !name.isEmpty() && resources.isValid(); |
131 |
+ return isValidNameAttribute() && resources.isValid(); |
132 |
} |
133 |
|
134 |
void KGetMetalink::File::load(const QDomElement &e) |
135 |
{ |
136 |
data.load(e); |
137 |
|
138 |
- name = e.attribute("name"); |
139 |
+ name = QUrl::fromPercentEncoding(e.attribute("name").toAscii()); |
140 |
size = e.firstChildElement("size").text().toULongLong(); |
141 |
|
142 |
verification.load(e); |
143 |
@@ -575,6 +575,22 @@ void KGetMetalink::File::clear() |
144 |
resources.clear(); |
145 |
} |
146 |
|
147 |
+ |
148 |
+bool KGetMetalink::File::isValidNameAttribute() const |
149 |
+{ |
150 |
+ if (name.isEmpty()) { |
151 |
+ kError(5001) << "Name attribute of Metalink::File is empty."; |
152 |
+ return false; |
153 |
+ } |
154 |
+ |
155 |
+ if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) { |
156 |
+ kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name; |
157 |
+ return false; |
158 |
+ } |
159 |
+ |
160 |
+ return true; |
161 |
+} |
162 |
+ |
163 |
#ifdef HAVE_NEPOMUK |
164 |
QHash<QUrl, Nepomuk::Variant> KGetMetalink::File::properties() const |
165 |
{ |
166 |
@@ -584,13 +600,28 @@ QHash<QUrl, Nepomuk::Variant> KGetMetalink::File::properties() const |
167 |
|
168 |
bool KGetMetalink::Files::isValid() const |
169 |
{ |
170 |
- bool isValid = !files.empty(); |
171 |
- foreach (const File &file, files) |
172 |
- { |
173 |
- isValid &= file.isValid(); |
174 |
+ if (files.isEmpty()) { |
175 |
+ return false; |
176 |
} |
177 |
|
178 |
- return isValid; |
179 |
+ QStringList fileNames; |
180 |
+ foreach (const File &file, files) { |
181 |
+ fileNames << file.name; |
182 |
+ if (!file.isValid()) { |
183 |
+ return false; |
184 |
+ } |
185 |
+ } |
186 |
+ |
187 |
+ //The value of name must be unique for each file |
188 |
+ while (!fileNames.isEmpty()) { |
189 |
+ const QString fileName = fileNames.takeFirst(); |
190 |
+ if (fileNames.contains(fileName)) { |
191 |
+ kError(5001) << "Metalink::File name" << fileName << "exists multiple times."; |
192 |
+ return false; |
193 |
+ } |
194 |
+ } |
195 |
+ |
196 |
+ return true; |
197 |
} |
198 |
|
199 |
void KGetMetalink::Files::load(const QDomElement &e) |
200 |
@@ -751,7 +782,7 @@ void KGetMetalink::Metalink_v3::parseFiles(const QDomElement &e) |
201 |
|
202 |
for (QDomElement elem = filesElem.firstChildElement("file"); !elem.isNull(); elem = elem.nextSiblingElement("file")) { |
203 |
File file; |
204 |
- file.name = elem.attribute("name"); |
205 |
+ file.name = QUrl::fromPercentEncoding(elem.attribute("name").toAscii()); |
206 |
file.size = elem.firstChildElement("size").text().toULongLong(); |
207 |
|
208 |
file.data = parseCommonData(elem); |
209 |
diff --git a/kget/ui/metalinkcreator/metalinker.h b/kget/ui/metalinkcreator/metalinker.h |
210 |
index 36b5b82..867d1a7 100644 |
211 |
--- a/kget/ui/metalinkcreator/metalinker.h |
212 |
+++ b/kget/ui/metalinkcreator/metalinker.h |
213 |
@@ -259,6 +259,14 @@ class File |
214 |
KIO::filesize_t size; |
215 |
CommonData data; |
216 |
Resources resources; |
217 |
+ |
218 |
+ private: |
219 |
+ /** |
220 |
+ * Controlls if the name attribute is valid, i.e. it is not empty and |
221 |
+ * does not contain any directory traversal directives or information, |
222 |
+ * as described in the Metalink 4.0 specification 4.1.2.1. |
223 |
+ */ |
224 |
+ bool isValidNameAttribute() const; |
225 |
}; |
226 |
|
227 |
class Files |