summaryrefslogtreecommitdiff
path: root/system/libxslt/CVE-2019-11068.patch
blob: db0de8a55d845c8bcd4ef94708973196a7699b80 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
From: Nick Wellnhofer <wellnhofer@aevum.de>
Date: Sun, 24 Mar 2019 09:51:39 +0100
Subject: [PATCH] Fix security framework bypass

xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
don't check for this condition and allow access. With a specially
crafted URL, xsltCheckRead could be tricked into returning an error
because of a supposedly invalid URL that would still be loaded
succesfully later on.

Fixes #12.

Thanks to Felix Wilhelm for the report.
---
 libxslt/documents.c | 18 ++++++++++--------
 libxslt/imports.c   |  9 +++++----
 libxslt/transform.c |  9 +++++----
 libxslt/xslt.c      |  9 +++++----
 4 files changed, 25 insertions(+), 20 deletions(-)

diff --git a/libxslt/documents.c b/libxslt/documents.c
index 3f3a7312..4aad11bb 100644
--- a/libxslt/documents.c
+++ b/libxslt/documents.c
@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
 	int res;
 
 	res = xsltCheckRead(ctxt->sec, ctxt, URI);
-	if (res == 0) {
-	    xsltTransformError(ctxt, NULL, NULL,
-		 "xsltLoadDocument: read rights for %s denied\n",
-			     URI);
+	if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(ctxt, NULL, NULL,
+                     "xsltLoadDocument: read rights for %s denied\n",
+                                 URI);
 	    return(NULL);
 	}
     }
@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
 	int res;
 
 	res = xsltCheckRead(sec, NULL, URI);
-	if (res == 0) {
-	    xsltTransformError(NULL, NULL, NULL,
-		 "xsltLoadStyleDocument: read rights for %s denied\n",
-			     URI);
+	if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsltLoadStyleDocument: read rights for %s denied\n",
+                                 URI);
 	    return(NULL);
 	}
     }
diff --git a/libxslt/imports.c b/libxslt/imports.c
index 874870cc..3783b247 100644
--- a/libxslt/imports.c
+++ b/libxslt/imports.c
@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
 	int secres;
 
 	secres = xsltCheckRead(sec, NULL, URI);
-	if (secres == 0) {
-	    xsltTransformError(NULL, NULL, NULL,
-		 "xsl:import: read rights for %s denied\n",
-			     URI);
+	if (secres <= 0) {
+            if (secres == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsl:import: read rights for %s denied\n",
+                                 URI);
 	    goto error;
 	}
     }
diff --git a/libxslt/transform.c b/libxslt/transform.c
index 13793914..0636dbd0 100644
--- a/libxslt/transform.c
+++ b/libxslt/transform.c
@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
      */
     if (ctxt->sec != NULL) {
 	ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
-	if (ret == 0) {
-	    xsltTransformError(ctxt, NULL, inst,
-		 "xsltDocumentElem: write rights for %s denied\n",
-			     filename);
+	if (ret <= 0) {
+            if (ret == 0)
+                xsltTransformError(ctxt, NULL, inst,
+                     "xsltDocumentElem: write rights for %s denied\n",
+                                 filename);
 	    xmlFree(URL);
 	    xmlFree(filename);
 	    return;
diff --git a/libxslt/xslt.c b/libxslt/xslt.c
index 780a5ad7..a234eb79 100644
--- a/libxslt/xslt.c
+++ b/libxslt/xslt.c
@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
 	int res;
 
 	res = xsltCheckRead(sec, NULL, filename);
-	if (res == 0) {
-	    xsltTransformError(NULL, NULL, NULL,
-		 "xsltParseStylesheetFile: read rights for %s denied\n",
-			     filename);
+	if (res <= 0) {
+            if (res == 0)
+                xsltTransformError(NULL, NULL, NULL,
+                     "xsltParseStylesheetFile: read rights for %s denied\n",
+                                 filename);
 	    return(NULL);
 	}
     }
-- 
2.21.0