summaryrefslogtreecommitdiff
path: root/extra/libxslt/CVE-2011-1202.patch
blob: 61ea213c8097a3f0dc81e0782efc3ec58812fe7f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
From ecb6bcb8d1b7e44842edde3929f412d46b40c89f Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@redhat.com>
Date: Tue, 22 Feb 2011 02:14:23 +0000
Subject: Fix generate-id() to not expose object addresses

As pointed out by Chris Evans <scarybeasts@gmail.com> it's better
security wise to not expose object addresses directly, use a diff
w.r.t. the document root own address to avoid this
* libxslt/functions.c: fix IDs generation code
---
diff --git a/libxslt/functions.c b/libxslt/functions.c
index 4720c7a..de962f4 100644
--- a/libxslt/functions.c
+++ b/libxslt/functions.c
@@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs)
 void
 xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
     xmlNodePtr cur = NULL;
-    unsigned long val;
-    xmlChar str[20];
+    long val;
+    xmlChar str[30];
+    xmlDocPtr doc;
 
     if (nargs == 0) {
 	cur = ctxt->context->node;
@@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){
      * Okay this is ugly but should work, use the NodePtr address
      * to forge the ID
      */
-    val = (unsigned long)((char *)cur - (char *)0);
-    val /= sizeof(xmlNode);
-    sprintf((char *)str, "id%ld", val);
+    if (cur->type != XML_NAMESPACE_DECL)
+        doc = cur->doc;
+    else {
+        xmlNsPtr ns = (xmlNsPtr) cur;
+
+        if (ns->context != NULL)
+            doc = ns->context;
+        else
+            doc = ctxt->context->doc;
+
+    }
+
+    val = (long)((char *)cur - (char *)doc);
+    if (val >= 0) {
+      sprintf((char *)str, "idp%ld", val);
+    } else {
+      sprintf((char *)str, "idm%ld", -val);
+    }
     valuePush(ctxt, xmlXPathNewString(str));
 }
 
--
cgit v0.9.0.2