From kde-commits  Sun Jul 26 03:39:56 2009
From: Kevin Kofler <kevin.kofler () chello ! at>
Date: Sun, 26 Jul 2009 03:39:56 +0000
To: kde-commits
Subject: KDE/kdelibs/khtml/css
Message-Id: <1248579596.054726.9506.nullmailer () svn ! kde ! org>
X-MARC-Message: https://marc.info/?l=kde-commits&m=124857960218367

SVN commit 1002474 by kkofler:

KHTML CSS parser: fix handling of the CSS "style" attribute content (CVE-2009-1698). Forward port of the RHEL 5 patch against kdelibs 3.5.4.

 M  +3 -1      css_valueimpl.cpp  
 M  +10 -1     cssparser.cpp  


--- trunk/KDE/kdelibs/khtml/css/css_valueimpl.cpp #1002473:1002474
@@ -1212,7 +1212,9 @@
 	    text = getValueName(m_value.ident);
 	    break;
 	case CSSPrimitiveValue::CSS_ATTR:
-	    // ###
+            text = "attr(";
+            text += DOMString( m_value.string );
+            text += ")";
 	    break;
 	case CSSPrimitiveValue::CSS_COUNTER:
             text = "counter(";
--- trunk/KDE/kdelibs/khtml/css/cssparser.cpp #1002473:1002474
@@ -1513,6 +1513,14 @@
                 if ( args->size() != 1)
                     return false;
                 Value *a = args->current();
+                if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
+                    isValid=false;
+                    break;
+                }
+                if (qString(a->string)[0] == '-') {
+                    isValid=false;
+                    break;
+                }
                 parsedValue = new CSSPrimitiveValueImpl(domString(a->string), CSSPrimitiveValue::CSS_ATTR);
             }
             else
@@ -1565,7 +1573,8 @@
 
     CounterImpl *counter = new CounterImpl;
     Value *i = args->current();
-//    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+    if (qString(i->string)[0] == '-') goto invalid;
     counter->m_identifier = domString(i->string);
     if (counters) {
         i = args->next();