summaryrefslogtreecommitdiffstats
path: root/opensuse/tdelibs/kdelibs-3.5.10-cve-2009-2537-select-length.patch
diff options
context:
space:
mode:
authorRobert Xu <robxu9@gmail.com>2011-08-13 12:58:51 -0400
committerRobert Xu <robxu9@gmail.com>2011-08-13 12:58:51 -0400
commit46130378aea5fff80803409c2573e2ea31472cb9 (patch)
treecb5da908105e6577da7676f84ba9c7fbaba4fb52 /opensuse/tdelibs/kdelibs-3.5.10-cve-2009-2537-select-length.patch
parent53f2819f9af035a38ca08df1ede9e6cd24aa79ef (diff)
downloadtde-packaging-46130378aea5fff80803409c2573e2ea31472cb9.tar.gz
tde-packaging-46130378aea5fff80803409c2573e2ea31472cb9.zip
add dbus-1-tqt and libdbus-1-tqt-0; add unmodified tdelibs from kdelibs3
Diffstat (limited to 'opensuse/tdelibs/kdelibs-3.5.10-cve-2009-2537-select-length.patch')
-rw-r--r--opensuse/tdelibs/kdelibs-3.5.10-cve-2009-2537-select-length.patch30
1 files changed, 30 insertions, 0 deletions
diff --git a/opensuse/tdelibs/kdelibs-3.5.10-cve-2009-2537-select-length.patch b/opensuse/tdelibs/kdelibs-3.5.10-cve-2009-2537-select-length.patch
new file mode 100644
index 000000000..5972b0a38
--- /dev/null
+++ b/opensuse/tdelibs/kdelibs-3.5.10-cve-2009-2537-select-length.patch
@@ -0,0 +1,30 @@
+diff -ur kdelibs-3.5.10/khtml/ecma/kjs_html.cpp kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp
+--- kdelibs-3.5.10/khtml/ecma/kjs_html.cpp 2008-02-13 10:41:09.000000000 +0100
++++ kdelibs-3.5.10-cve-2009-2537-select-length/khtml/ecma/kjs_html.cpp 2009-07-26 04:54:52.000000000 +0200
+@@ -62,6 +62,9 @@
+
+ #include <kdebug.h>
+
++// CVE-2009-2537 (vendors agreed on max 10000 elements)
++#define MAX_SELECT_LENGTH 10000
++
+ namespace KJS {
+
+ KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto)
+@@ -2550,8 +2553,14 @@
+ case SelectValue: { select.setValue(str); return; }
+ case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
+ Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) );
+- if ( coll.isValid() )
+- coll.put(exec,"length",value);
++
++ if ( coll.isValid() ) {
++ if (value.toInteger(exec) >= MAX_SELECT_LENGTH) {
++ Object err = Error::create(exec, RangeError);
++ exec->setException(err);
++ } else
++ coll.put(exec, "length", value);
++ }
+ return;
+ }
+ // read-only: form