lib/libxslt
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxslt synced 2025-11-04 00:53:12 +03:00
Code Activity

Fix security framework bypass

Browse Source 
xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
don't check for this condition and allow access. With a specially
crafted URL, xsltCheckRead could be tricked into returning an error
because of a supposedly invalid URL that would still be loaded
succesfully later on.

Fixes #12.

Thanks to Felix Wilhelm for the report.
This commit is contained in:
Nick Wellnhofer
2019-03-24 09:51:39 +01:00
parent eb48a90019
commit e03553605b
4 changed files with 25 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
libxslt/documents.c
View File

@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
int res; int res;
res = xsltCheckRead(ctxt->sec, ctxt, URI); res = xsltCheckRead(ctxt->sec, ctxt, URI);
if (res == 0) { if (res <= 0) {
xsltTransformError(ctxt, NULL, NULL, if (res == 0)
"xsltLoadDocument: read rights for %s denied\n", xsltTransformError(ctxt, NULL, NULL,
URI); "xsltLoadDocument: read rights for %s denied\n",
URI);
return(NULL); return(NULL);
} }
} }
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
int res; int res;
res = xsltCheckRead(sec, NULL, URI); res = xsltCheckRead(sec, NULL, URI);
if (res == 0) { if (res <= 0) {
xsltTransformError(NULL, NULL, NULL, if (res == 0)
"xsltLoadStyleDocument: read rights for %s denied\n", xsltTransformError(NULL, NULL, NULL,
URI); "xsltLoadStyleDocument: read rights for %s denied\n",
URI);
return(NULL); return(NULL);
} }
} }

9
libxslt/imports.c
View File

@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
int secres; int secres;
secres = xsltCheckRead(sec, NULL, URI); secres = xsltCheckRead(sec, NULL, URI);
if (secres == 0) { if (secres <= 0) {
xsltTransformError(NULL, NULL, NULL, if (secres == 0)
"xsl:import: read rights for %s denied\n", xsltTransformError(NULL, NULL, NULL,
URI); "xsl:import: read rights for %s denied\n",
URI);
goto error; goto error;
} }
} }

9
libxslt/transform.c
View File

@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
*/ */
if (ctxt->sec != NULL) { if (ctxt->sec != NULL) {
ret = xsltCheckWrite(ctxt->sec, ctxt, filename); ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
if (ret == 0) { if (ret <= 0) {
xsltTransformError(ctxt, NULL, inst, if (ret == 0)
"xsltDocumentElem: write rights for %s denied\n", xsltTransformError(ctxt, NULL, inst,
filename); "xsltDocumentElem: write rights for %s denied\n",
filename);
xmlFree(URL); xmlFree(URL);
xmlFree(filename); xmlFree(filename);
return; return;

9
libxslt/xslt.c
View File

@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
int res; int res;
res = xsltCheckRead(sec, NULL, filename); res = xsltCheckRead(sec, NULL, filename);
if (res == 0) { if (res <= 0) {
xsltTransformError(NULL, NULL, NULL, if (res == 0)
"xsltParseStylesheetFile: read rights for %s denied\n", xsltTransformError(NULL, NULL, NULL,
filename); "xsltParseStylesheetFile: read rights for %s denied\n",
filename);
return(NULL); return(NULL);
} }
} }