lib/libxslt
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxslt synced 2025-11-04 00:53:12 +03:00
Code Activity

Fix security framework bypass

Browse Source 
xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
don't check for this condition and allow access. With a specially
crafted URL, xsltCheckRead could be tricked into returning an error
because of a supposedly invalid URL that would still be loaded
succesfully later on.

Fixes #12.

Thanks to Felix Wilhelm for the report.
This commit is contained in:
Nick Wellnhofer
2019-03-24 09:51:39 +01:00
parent eb48a90019
commit e03553605b
4 changed files with 25 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
libxslt/documents.c
View File

@@ -296,7 +296,8 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
int res; int res;
res = xsltCheckRead(ctxt->sec, ctxt, URI); res = xsltCheckRead(ctxt->sec, ctxt, URI);
if (res == 0) { if (res <= 0) {
if (res == 0)
xsltTransformError(ctxt, NULL, NULL, xsltTransformError(ctxt, NULL, NULL,
"xsltLoadDocument: read rights for %s denied\n", "xsltLoadDocument: read rights for %s denied\n",
URI); URI);
@@ -372,7 +373,8 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
int res; int res;
res = xsltCheckRead(sec, NULL, URI); res = xsltCheckRead(sec, NULL, URI);
if (res == 0) { if (res <= 0) {
if (res == 0)
xsltTransformError(NULL, NULL, NULL, xsltTransformError(NULL, NULL, NULL,
"xsltLoadStyleDocument: read rights for %s denied\n", "xsltLoadStyleDocument: read rights for %s denied\n",
URI); URI);

3
libxslt/imports.c
View File

@@ -130,7 +130,8 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
int secres; int secres;
secres = xsltCheckRead(sec, NULL, URI); secres = xsltCheckRead(sec, NULL, URI);
if (secres == 0) { if (secres <= 0) {
if (secres == 0)
xsltTransformError(NULL, NULL, NULL, xsltTransformError(NULL, NULL, NULL,
"xsl:import: read rights for %s denied\n", "xsl:import: read rights for %s denied\n",
URI); URI);

3
libxslt/transform.c
View File

@@ -3493,7 +3493,8 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
*/ */
if (ctxt->sec != NULL) { if (ctxt->sec != NULL) {
ret = xsltCheckWrite(ctxt->sec, ctxt, filename); ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
if (ret == 0) { if (ret <= 0) {
if (ret == 0)
xsltTransformError(ctxt, NULL, inst, xsltTransformError(ctxt, NULL, inst,
"xsltDocumentElem: write rights for %s denied\n", "xsltDocumentElem: write rights for %s denied\n",
filename); filename);

3
libxslt/xslt.c
View File

@@ -6763,7 +6763,8 @@ xsltParseStylesheetFile(const xmlChar* filename) {
int res; int res;
res = xsltCheckRead(sec, NULL, filename); res = xsltCheckRead(sec, NULL, filename);
if (res == 0) { if (res <= 0) {
if (res == 0)
xsltTransformError(NULL, NULL, NULL, xsltTransformError(NULL, NULL, NULL,
"xsltParseStylesheetFile: read rights for %s denied\n", "xsltParseStylesheetFile: read rights for %s denied\n",
filename); filename);