[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    KDE/kdelibs/khtml/css
From:       Kevin Kofler <kevin.kofler () chello ! at>
Date:       2009-07-26 3:39:56
Message-ID: 1248579596.054726.9506.nullmailer () svn ! kde ! org
[Download RAW message or body]

SVN commit 1002474 by kkofler:

KHTML CSS parser: fix handling of the CSS "style" attribute content (CVE-2009-1698). \
Forward port of the RHEL 5 patch against kdelibs 3.5.4.

 M  +3 -1      css_valueimpl.cpp  
 M  +10 -1     cssparser.cpp  


--- trunk/KDE/kdelibs/khtml/css/css_valueimpl.cpp #1002473:1002474
@@ -1212,7 +1212,9 @@
 	    text = getValueName(m_value.ident);
 	    break;
 	case CSSPrimitiveValue::CSS_ATTR:
-	    // ###
+            text = "attr(";
+            text += DOMString( m_value.string );
+            text += ")";
 	    break;
 	case CSSPrimitiveValue::CSS_COUNTER:
             text = "counter(";
--- trunk/KDE/kdelibs/khtml/css/cssparser.cpp #1002473:1002474
@@ -1513,6 +1513,14 @@
                 if ( args->size() != 1)
                     return false;
                 Value *a = args->current();
+                if (a->unit != CSSPrimitiveValue::CSS_IDENT) {
+                    isValid=false;
+                    break;
+                }
+                if (qString(a->string)[0] == '-') {
+                    isValid=false;
+                    break;
+                }
                 parsedValue = new CSSPrimitiveValueImpl(domString(a->string), \
CSSPrimitiveValue::CSS_ATTR);  }
             else
@@ -1565,7 +1573,8 @@
 
     CounterImpl *counter = new CounterImpl;
     Value *i = args->current();
-//    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+    if (i->unit != CSSPrimitiveValue::CSS_IDENT) goto invalid;
+    if (qString(i->string)[0] == '-') goto invalid;
     counter->m_identifier = domString(i->string);
     if (counters) {
         i = args->next();


[prev in list] [next in list] [prev in thread] [next in thread]