'KDE/kdelibs/khtml/ecma'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    KDE/kdelibs/khtml/ecma
From:       Maks Orlovich <maksim () kde ! org>
Date:       2009-09-19 17:41:44
Message-ID: 1253382104.704240.25515.nullmailer () svn ! kde ! org
[Download RAW message or body]

SVN commit 1025795 by orlovich:

automatically merged revision 1016302:
Add an HTMLSelection::remove(HTMLOptionElement*) overload; ebay.fr frontpage needs \
it. Also, make the silly DoS guard on .length actually cover all paths of changing \
it.

BUG:204044

 M  +14 -9     kjs_html.cpp  


--- trunk/KDE/kdelibs/khtml/ecma/kjs_html.cpp #1025794:1025795
@@ -69,9 +69,6 @@
 #include <QtCore/QList>
 #include <QtCore/QHash>
 
-// CVE-2009-2537 (vendors agreed on max 10000 elements)
-#define MAX_SELECT_LENGTH 10000
-
 using namespace DOM;
 
 namespace KJS {
@@ -467,7 +464,7 @@
     }
     case DesignMode:
         doc.setDesignMode((value->toString(exec).qstring().toLower()=="on"));
-        return;  
+        return;
   }
 
   /* The rest of the properties require a body. Note that Doc::body may be the
@@ -2158,7 +2155,12 @@
         return jsUndefined();
       }
       else if (id == KJS::HTMLElement::SelectRemove) {
-        select.remove(int(args[0]->toNumber(exec)));
+        // Apparently this takes both elements and indices (ebay.fr)
+        DOM::NodeImpl* node = toNode(args[0]);
+        if (node && node->id() == ID_OPTION)
+          select.removeChild(node, exception);
+        else
+          select.remove(int(args[0]->toNumber(exec)));
         return jsUndefined();
       }
     }
@@ -2183,7 +2185,7 @@
       DOM::HTMLButtonElementImpl& button = \
static_cast<DOM::HTMLButtonElementImpl&>(element);  if (id == \
KJS::HTMLElement::ButtonClick) {  button.click();
-        return jsUndefined();      
+        return jsUndefined();
       }
     }
     break;
@@ -2459,9 +2461,6 @@
                                          JSObject *coll = \
getSelectHTMLCollection(exec, select.options(), &select)->getObject();  
                                          if ( coll )
-                                           if (value->toInteger(exec) >= \
                MAX_SELECT_LENGTH)
-                                             setDOMException(exec, \
                DOMException::INDEX_SIZE_ERR);
-                                           else
                                              coll->put(exec, "length", value);
                                          return;
                                        }
@@ -3219,6 +3218,12 @@
       return;
     }
 
+    // CVE-2009-2537 (vendors agreed on max 10000 elements)
+    if (newLen > 10000) {
+      setDOMException(exec, DOMException::INDEX_SIZE_ERR);
+      return;
+    }
+
     long diff = element->length() - newLen;
 
     if (diff < 0) { // add dummy elements


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic