[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
kdelibs security fix
- To: ports_(_at_)_openbsd_(_dot_)_org
- Subject: kdelibs security fix
- From: Robert Nagy <robert_(_at_)_openbsd_(_dot_)_org>
- Date: Wed, 25 Aug 2004 01:03:42 +0200
Hi. Please test the following diff because i'd like to commit
it before release. Try to run/use a lot of kde apps with this patch.
http://www.kde.org/info/security/advisory-20040823-1.txt
Thanks.
Index: patches/patch-kioslave_http_kcookiejar_kcookiejar_cpp
===================================================================
RCS file: patches/patch-kioslave_http_kcookiejar_kcookiejar_cpp
diff -N patches/patch-kioslave_http_kcookiejar_kcookiejar_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-kioslave_http_kcookiejar_kcookiejar_cpp 24 Aug 2004 22:59:19 -0000
@@ -0,0 +1,65 @@
+$OpenBSD$
+--- kioslave/http/kcookiejar/kcookiejar.cpp.orig Sun May 30 16:24:43 2004
++++ kioslave/http/kcookiejar/kcookiejar.cpp Tue Aug 24 00:15:39 2004
+@@ -244,6 +244,14 @@
+ m_globalAdvice = KCookieDunno;
+ m_configChanged = false;
+ m_cookiesChanged = false;
++
++ QString twoLevelTLD="name,ai,au,bd,bh,ck,eg,et,fk,il,in,kh,kr,mk,mt,na,np,nz,pg,pk,qa,sa,sb,sg,sv,ua,ug,uk,uy,vn,za,zw";
++ QStringList countries = QStringList::split(',', twoLevelTLD);
++ for(QStringList::ConstIterator it = countries.begin();
++ it != countries.end(); ++it)
++ {
++ m_twoLevelTLD.replace(*it, (int *) 1);
++ }
+ }
+
+ //
+@@ -528,14 +536,14 @@
+
+ }
+
+-static void stripDomain(const QString &_fqdn, QString &_domain)
++void KCookieJar::stripDomain(const QString &_fqdn, QString &_domain)
+ {
+ QStringList domains;
+- KCookieJar::extractDomains(_fqdn, domains);
++ extractDomains(_fqdn, domains);
+ _domain = domains[0];
+ }
+
+-static QString stripDomain( KHttpCookiePtr cookiePtr)
++QString KCookieJar::stripDomain( KHttpCookiePtr cookiePtr)
+ {
+ QString domain; // We file the cookie under this domain.
+ if (cookiePtr->domain().isEmpty())
+@@ -620,6 +628,13 @@
+ {
+ if (partList.count() == 1)
+ break; // We only have a TLD left.
++
++ if ((partList.count() == 2) && (m_twoLevelTLD[partList[1].lower()]))
++ {
++ // This domain uses two-level TLDs in the form xxxx.yy
++ break;
++ }
++
+ if ((partList.count() == 2) && (partList[1].length() == 2))
+ {
+ // If this is a TLD, we should stop. (e.g. co.uk)
+@@ -633,14 +648,6 @@
+ if ((t == "com") || (t == "net") || (t == "org") || (t == "gov") || (t == "edu") || (t == "mil") || (t == "int"))
+ break;
+ }
+-
+- // The .name domain uses <name>.<surname>.name
+- // Although the TLD is striclty speaking .name, for our purpose
+- // it should be <surname>.name since people should not be able
+- // to set cookies for everyone with the same surname.
+- // Matches <surname>.name
+- if ((partList.count() == 2)&& (partList[1].lower() == L1("name")))
+- break;
+
+ QString domain = partList.join(L1("."));
+ _domains.append('.' + domain);
Index: patches/patch-kioslave_http_kcookiejar_kcookiejar_h
===================================================================
RCS file: patches/patch-kioslave_http_kcookiejar_kcookiejar_h
diff -N patches/patch-kioslave_http_kcookiejar_kcookiejar_h
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-kioslave_http_kcookiejar_kcookiejar_h 24 Aug 2004 22:59:19 -0000
@@ -0,0 +1,30 @@
+$OpenBSD$
+--- kioslave/http/kcookiejar/kcookiejar.h.orig Sun Nov 30 10:47:10 2003
++++ kioslave/http/kcookiejar/kcookiejar.h Tue Aug 24 00:15:39 2004
+@@ -306,8 +306,8 @@
+ /**
+ * Returns a list of domains (_domainList) relevant for this host.
+ */
+- static void extractDomains(const QString &_fqdn,
+- QStringList &_domainList);
++ void extractDomains(const QString &_fqdn,
++ QStringList &_domainList);
+
+ static QString adviceToStr(KCookieAdvice _advice);
+ static KCookieAdvice strToAdvice(const QString &_str);
+@@ -329,11 +329,15 @@
+ */
+ void setShowCookieDetails (bool value) { m_showCookieDetails = value; }
+
++protected:
++ void stripDomain(const QString &_fqdn, QString &_domain);
++ QString stripDomain( KHttpCookiePtr cookiePtr);
+
+ protected:
+ QStringList m_domainList;
+ KCookieAdvice m_globalAdvice;
+ QDict<KHttpCookieList> m_cookieDomains;
++ QDict<int> m_twoLevelTLD;
+
+ bool m_configChanged;
+ bool m_cookiesChanged;
Index: patches/patch-kioslave_http_kcookiejar_kcookiejar_kcookieserver_cpp
===================================================================
RCS file: patches/patch-kioslave_http_kcookiejar_kcookiejar_kcookieserver_cpp
diff -N patches/patch-kioslave_http_kcookiejar_kcookiejar_kcookieserver_cpp
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ patches/patch-kioslave_http_kcookiejar_kcookiejar_kcookieserver_cpp 24 Aug 2004 22:59:19 -0000
@@ -0,0 +1,30 @@
+$OpenBSD$
+--- kioslave/http/kcookiejar/kcookieserver.cpp.orig Wed Jun 11 16:13:29 2003
++++ kioslave/http/kcookiejar/kcookieserver.cpp Tue Aug 24 00:15:39 2004
+@@ -131,7 +131,7 @@
+ if (!KCookieJar::parseURL(url, fqdn, path))
+ return false;
+
+- KCookieJar::extractDomains( fqdn, domains );
++ mCookieJar->extractDomains( fqdn, domains );
+ for( KHttpCookie *cookie = mPendingCookies->first();
+ cookie != 0L;
+ cookie = mPendingCookies->next())
+@@ -557,7 +557,7 @@
+ if (KCookieJar::parseURL(url, fqdn, dummy))
+ {
+ QStringList domains;
+- KCookieJar::extractDomains(fqdn, domains);
++ mCookieJar->extractDomains(fqdn, domains);
+ mCookieJar->setDomainAdvice(domains[0],
+ KCookieJar::strToAdvice(advice));
+ }
+@@ -573,7 +573,7 @@
+ if (KCookieJar::parseURL(url, fqdn, dummy))
+ {
+ QStringList domains;
+- KCookieJar::extractDomains(fqdn, domains);
++ mCookieJar->extractDomains(fqdn, domains);
+ advice = mCookieJar->getDomainAdvice(domains[0]);
+ }
+ return KCookieJar::adviceToStr(advice);
Visit your host, monkey.org