[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: KDE/kdelibs/khtml/ecma
From: Jaroslav Řezník <jreznik () redhat ! com>
Date: 2009-07-22 15:06:32
Message-ID: 1248275192.431245.3299.nullmailer () svn ! kde ! org
[Download RAW message or body]
SVN commit 1001060 by jreznik:
cve-2009-2573 - big value caused DoS, limited to 10000 elements
M +8 -1 kjs_html.cpp
--- trunk/KDE/kdelibs/khtml/ecma/kjs_html.cpp #1001059:1001060
@@ -69,6 +69,9 @@
#include <QtCore/QList>
#include <QtCore/QHash>
+// CVE-2009-2537 (vendors agreed on max 10000 elements)
+#define MAX_SELECT_LENGTH 10000
+
using namespace DOM;
namespace KJS {
@@ -2454,8 +2457,12 @@
case SelectValue: { select.setValue(str.implementation()); return; }
case SelectLength: { // read-only according to the NS spec, but \
webpages need it writeable
JSObject *coll = \
getSelectHTMLCollection(exec, select.options(), &select)->getObject(); +
if ( coll )
- coll->put(exec,"length",value);
+ if (value->toInteger(exec) >= \
MAX_SELECT_LENGTH) + \
setDOMException(exec, DOMException::INDEX_SIZE_ERR); + \
else + coll->put(exec, "length", value);
return;
}
// read-only: form
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic