| blob | 260f35d1a35e768c478c2aebc3f6eed38bba1b89 |
1 From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001
2 From: Nick Wellnhofer <wellnhofer@aevum.de>
3 Date: Sun, 24 Mar 2019 09:51:39 +0100
4 Subject: [PATCH] Fix security framework bypass
6 xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
7 don't check for this condition and allow access. With a specially
8 crafted URL, xsltCheckRead could be tricked into returning an error
9 because of a supposedly invalid URL that would still be loaded
10 succesfully later on.
12 Fixes #12.
14 Thanks to Felix Wilhelm for the report.
15 ---
16 libxslt/documents.c | 18 ++++++++++--------
17 libxslt/imports.c | 9 +++++----
18 libxslt/transform.c | 9 +++++----
19 libxslt/xslt.c | 9 +++++----
20 4 files changed, 25 insertions(+), 20 deletions(-)
22 diff --git a/libxslt/documents.c b/libxslt/documents.c
23 index 3f3a7312..4aad11bb 100644
24 --- a/libxslt/documents.c
25 +++ b/libxslt/documents.c
26 @@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
27 int res;
29 res = xsltCheckRead(ctxt->sec, ctxt, URI);
30 - if (res == 0) {
31 - xsltTransformError(ctxt, NULL, NULL,
32 - "xsltLoadDocument: read rights for %s denied\n",
33 - URI);
34 + if (res <= 0) {
35 + if (res == 0)
36 + xsltTransformError(ctxt, NULL, NULL,
37 + "xsltLoadDocument: read rights for %s denied\n",
38 + URI);
39 return(NULL);
40 }
41 }
42 @@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
43 int res;
45 res = xsltCheckRead(sec, NULL, URI);
46 - if (res == 0) {
47 - xsltTransformError(NULL, NULL, NULL,
48 - "xsltLoadStyleDocument: read rights for %s denied\n",
49 - URI);
50 + if (res <= 0) {
51 + if (res == 0)
52 + xsltTransformError(NULL, NULL, NULL,
53 + "xsltLoadStyleDocument: read rights for %s denied\n",
54 + URI);
55 return(NULL);
56 }
57 }
58 diff --git a/libxslt/imports.c b/libxslt/imports.c
59 index 874870cc..3783b247 100644
60 --- a/libxslt/imports.c
61 +++ b/libxslt/imports.c
62 @@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
63 int secres;
65 secres = xsltCheckRead(sec, NULL, URI);
66 - if (secres == 0) {
67 - xsltTransformError(NULL, NULL, NULL,
68 - "xsl:import: read rights for %s denied\n",
69 - URI);
70 + if (secres <= 0) {
71 + if (secres == 0)
72 + xsltTransformError(NULL, NULL, NULL,
73 + "xsl:import: read rights for %s denied\n",
74 + URI);
75 goto error;
76 }
77 }
78 diff --git a/libxslt/transform.c b/libxslt/transform.c
79 index 13793914..0636dbd0 100644
80 --- a/libxslt/transform.c
81 +++ b/libxslt/transform.c
82 @@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
83 */
84 if (ctxt->sec != NULL) {
85 ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
86 - if (ret == 0) {
87 - xsltTransformError(ctxt, NULL, inst,
88 - "xsltDocumentElem: write rights for %s denied\n",
89 - filename);
90 + if (ret <= 0) {
91 + if (ret == 0)
92 + xsltTransformError(ctxt, NULL, inst,
93 + "xsltDocumentElem: write rights for %s denied\n",
94 + filename);
95 xmlFree(URL);
96 xmlFree(filename);
97 return;
98 diff --git a/libxslt/xslt.c b/libxslt/xslt.c
99 index 780a5ad7..a234eb79 100644
100 --- a/libxslt/xslt.c
101 +++ b/libxslt/xslt.c
102 @@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
103 int res;
105 res = xsltCheckRead(sec, NULL, filename);
106 - if (res == 0) {
107 - xsltTransformError(NULL, NULL, NULL,
108 - "xsltParseStylesheetFile: read rights for %s denied\n",
109 - filename);
110 + if (res <= 0) {
111 + if (res == 0)
112 + xsltTransformError(NULL, NULL, NULL,
113 + "xsltParseStylesheetFile: read rights for %s denied\n",
114 + filename);
115 return(NULL);
116 }
117 }
118 --
119 2.18.1