summaryrefslogtreecommitdiffstats
path: root/opensuse/core/tdelibs.old/kdelibs-3.5.10-cve-2009-2537-select-length.patch
diff options
context:
space:
mode:
authorRobert Xu <robxu9@gmail.com>2012-03-31 14:28:06 -0400
committerRobert Xu <robxu9@gmail.com>2012-03-31 14:28:06 -0400
commit59dd46ef985a719579132efa6a9aa49bfeeae112 (patch)
tree93d8c721ff263e67aaf59e364496862872ded8fb /opensuse/core/tdelibs.old/kdelibs-3.5.10-cve-2009-2537-select-length.patch
parentc141f0bc29b6e2eeda5ca08a043d26546a1427f9 (diff)
downloadtde-packaging-59dd46ef985a719579132efa6a9aa49bfeeae112.tar.gz
tde-packaging-59dd46ef985a719579132efa6a9aa49bfeeae112.zip
better late than never, hm...
Diffstat (limited to 'opensuse/core/tdelibs.old/kdelibs-3.5.10-cve-2009-2537-select-length.patch')
-rw-r--r--opensuse/core/tdelibs.old/kdelibs-3.5.10-cve-2009-2537-select-length.patch30
1 files changed, 30 insertions, 0 deletions
diff --git a/opensuse/core/tdelibs.old/kdelibs-3.5.10-cve-2009-2537-select-length.patch b/opensuse/core/tdelibs.old/kdelibs-3.5.10-cve-2009-2537-select-length.patch
new file mode 100644
index 000000000..5972b0a38
--- /dev/null
+++ b/opensuse/core/tdelibs.old/kdelibs-3.5.10-cve-2009-2537-select-length.patch
@@ -0,0 +1,30 @@
+diff -ur kdelibs-3.5.10/khtml/ecma/kjs_html.cpp kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp
+--- kdelibs-3.5.10/khtml/ecma/kjs_html.cpp 2008-02-13 10:41:09.000000000 +0100
++++ kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp 2009-07-26 04:54:52.000000000 +0200
+@@ -62,6 +62,9 @@
+
+ #include <kdebug.h>
+
++// CVE-2009-2537 (vendors agreed on max 10000 elements)
++#define MAX_SELECT_LENGTH 10000
++
+ namespace KJS {
+
+ KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto)
+@@ -2550,8 +2553,14 @@
+ case SelectValue: { select.setValue(str); return; }
+ case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
+ Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) );
+- if ( coll.isValid() )
+- coll.put(exec,"length",value);
++
++ if ( coll.isValid() ) {
++ if (value.toInteger(exec) >= MAX_SELECT_LENGTH) {
++ Object err = Error::create(exec, RangeError);
++ exec->setException(err);
++ } else
++ coll.put(exec, "length", value);
++ }
+ return;
+ }
+ // read-only: form