| From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 |
| From: Nick Wellnhofer <wellnhofer@aevum.de> |
| Date: Sun, 24 Mar 2019 09:51:39 +0100 |
| Subject: [PATCH] Fix security framework bypass |
| |
| xsltCheckRead and xsltCheckWrite return -1 in case of error but callers |
| don't check for this condition and allow access. With a specially |
| crafted URL, xsltCheckRead could be tricked into returning an error |
| because of a supposedly invalid URL that would still be loaded |
| succesfully later on. |
| |
| Fixes #12. |
| |
| Thanks to Felix Wilhelm for the report. |
| |
| libxslt/documents.c | 18 ++++++++++-------- |
| libxslt/imports.c | 9 +++++---- |
| libxslt/transform.c | 9 +++++---- |
| libxslt/xslt.c | 9 +++++---- |
| 4 files changed, 25 insertions(+), 20 deletions(-) |
| |
| diff --git a/libxslt/documents.c b/libxslt/documents.c |
| index 3f3a7312..4aad11bb 100644 |
| |
| |
| @@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { |
| int res; |
| |
| res = xsltCheckRead(ctxt->sec, ctxt, URI); |
| - if (res == 0) { |
| - xsltTransformError(ctxt, NULL, NULL, |
| - "xsltLoadDocument: read rights for %s denied\n", |
| - URI); |
| + if (res <= 0) { |
| + if (res == 0) |
| + xsltTransformError(ctxt, NULL, NULL, |
| + "xsltLoadDocument: read rights for %s denied\n", |
| + URI); |
| return(NULL); |
| } |
| } |
| @@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { |
| int res; |
| |
| res = xsltCheckRead(sec, NULL, URI); |
| - if (res == 0) { |
| - xsltTransformError(NULL, NULL, NULL, |
| - "xsltLoadStyleDocument: read rights for %s denied\n", |
| - URI); |
| + if (res <= 0) { |
| + if (res == 0) |
| + xsltTransformError(NULL, NULL, NULL, |
| + "xsltLoadStyleDocument: read rights for %s denied\n", |
| + URI); |
| return(NULL); |
| } |
| } |
| diff --git a/libxslt/imports.c b/libxslt/imports.c |
| index 874870cc..3783b247 100644 |
| |
| |
| @@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { |
| int secres; |
| |
| secres = xsltCheckRead(sec, NULL, URI); |
| - if (secres == 0) { |
| - xsltTransformError(NULL, NULL, NULL, |
| - "xsl:import: read rights for %s denied\n", |
| - URI); |
| + if (secres <= 0) { |
| + if (secres == 0) |
| + xsltTransformError(NULL, NULL, NULL, |
| + "xsl:import: read rights for %s denied\n", |
| + URI); |
| goto error; |
| } |
| } |
| diff --git a/libxslt/transform.c b/libxslt/transform.c |
| index 13793914..0636dbd0 100644 |
| |
| |
| @@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, |
| */ |
| if (ctxt->sec != NULL) { |
| ret = xsltCheckWrite(ctxt->sec, ctxt, filename); |
| - if (ret == 0) { |
| - xsltTransformError(ctxt, NULL, inst, |
| - "xsltDocumentElem: write rights for %s denied\n", |
| - filename); |
| + if (ret <= 0) { |
| + if (ret == 0) |
| + xsltTransformError(ctxt, NULL, inst, |
| + "xsltDocumentElem: write rights for %s denied\n", |
| + filename); |
| xmlFree(URL); |
| xmlFree(filename); |
| return; |
| diff --git a/libxslt/xslt.c b/libxslt/xslt.c |
| index 780a5ad7..a234eb79 100644 |
| |
| |
| @@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { |
| int res; |
| |
| res = xsltCheckRead(sec, NULL, filename); |
| - if (res == 0) { |
| - xsltTransformError(NULL, NULL, NULL, |
| - "xsltParseStylesheetFile: read rights for %s denied\n", |
| - filename); |
| + if (res <= 0) { |
| + if (res == 0) |
| + xsltTransformError(NULL, NULL, NULL, |
| + "xsltParseStylesheetFile: read rights for %s denied\n", |
| + filename); |
| return(NULL); |
| } |
| } |
| -- |
| 2.24.1 |
| |