Mailinglist Archive: opensuse-contrib (29 mails)

[fisiu@xxxxxxxxxxxx]

   home:Fisiu:branches:openSUSE:11.4:Contrib/kadu-qt4 -> 
openSUSE:11.4:Contrib/kadu-qt4


   https://build.opensuse.org/request/show/107054

   Description: - Security fix: inject js code into history. Fix bnc#749036.

changes files:
--------------
--- kadu.changes
+++ kadu.changes
@@ -1,0 +2,5 @@
+Sun Feb 26 11:36:07 UTC 2012 - fisiu@xxxxxxxxxxxx
+
+- Security fix: inject js code into history. Fix bnc#749036.
+
+-------------------------------------------------------------------

new:
----
  kadu-inject-js-into-history-fix.patch

spec files:
-----------
--- kadu.spec
+++ kadu.spec
@@ -26,6 +26,8 @@
 Url:            http://www.kadu.net/
 Group:          Productivity/Networking/Instant Messenger
 Source0:        kadu-0.9.2.tar.bz2
+# PATCH-FIX-UPSTREAM -- kadu-inject-js-into-history-fix.patch -- Rafał 
Malinowski <rafal.przemyslaw.malinowski@xxxxxxxxx>
+Patch0:         kadu-inject-js-into-history-fix.patch
 ### 1x - External Modules ###
 Source10:       anonymous_check-0.6.6.1.tar.bz2
 Source11:       globalhotkeys-0.6.6-22.tar.gz
@@ -239,7 +241,7 @@
 ver=${ver:0:2}.${ver:2:1}
 sed -e "s:</b><br />: openSUSE $ver</b><br />:" -i 
kadu-core/gui/windows/about.cpp
 # apply patches
-# none atm
+%patch0
 
 %build
 %ifarch x86_64

other changes:
--------------

++++++ kadu-inject-js-into-history-fix.patch (new)
--- kadu-inject-js-into-history-fix.patch
+++ kadu-inject-js-into-history-fix.patch
@@ -0,0 +1,131 @@
+Index: kadu-core/gui/widgets/buddy-info-panel.cpp
+===================================================================
+--- kadu-core/gui/widgets/buddy-info-panel.cpp.orig
++++ kadu-core/gui/widgets/buddy-info-panel.cpp
+@@ -52,6 +52,11 @@ BuddyInfoPanel::BuddyInfoPanel(QWidget *
+       setAttribute(Qt::WA_OpaquePaintEvent, false);
+ 
+       connect(BuddyPreferredManager::instance(), 
SIGNAL(buddyUpdated(Buddy&)), this, SLOT(buddyUpdated(Buddy&)));
++
++      page()->currentFrame()->evaluateJavaScript(
++              "XMLHttpRequest.prototype.open = function() { return false; };"
++              "XMLHttpRequest.prototype.send = function() { return false; };"
++      );
+ }
+ 
+ BuddyInfoPanel::~BuddyInfoPanel()
+Index: kadu-core/gui/widgets/chat-messages-view.cpp
+===================================================================
+--- kadu-core/gui/widgets/chat-messages-view.cpp.orig
++++ kadu-core/gui/widgets/chat-messages-view.cpp
+@@ -62,6 +62,11 @@ ChatMessagesView::ChatMessagesView(const
+       settings()->setAttribute(QWebSettings::JavascriptEnabled, true);
+       settings()->setAttribute(QWebSettings::PluginsEnabled, true);
+ 
++      page()->currentFrame()->evaluateJavaScript(
++              "XMLHttpRequest.prototype.open = function() { return false; };"
++              "XMLHttpRequest.prototype.send = function() { return false; };"
++      );
++
+       connectChat();
+ 
+       connect(this->page()->mainFrame(), SIGNAL(contentsSizeChanged(const 
QSize &)), this, SLOT(scrollToBottom()));
+Index: kadu-core/gui/widgets/chat-view-network-access-manager.cpp
+===================================================================
+--- kadu-core/gui/widgets/chat-view-network-access-manager.cpp.orig
++++ kadu-core/gui/widgets/chat-view-network-access-manager.cpp
+@@ -36,6 +36,9 @@ ChatViewNetworkAccessManager::ChatViewNe
+ 
+ QNetworkReply * 
ChatViewNetworkAccessManager::createRequest(QNetworkAccessManager::Operation 
operation, const QNetworkRequest &request, QIODevice *device)
+ {
++      if (QNetworkAccessManager::GetOperation != operation && 
QNetworkAccessManager::HeadOperation != operation)
++              operation = QNetworkAccessManager::GetOperation;
++
+       if (request.url().scheme() != "kaduimg")
+               return QNetworkAccessManager::createRequest(operation, request, 
device);
+ 
+Index: kadu-core/gui/widgets/chat-view-network-access-manager.h
+===================================================================
+--- kadu-core/gui/widgets/chat-view-network-access-manager.h.orig
++++ kadu-core/gui/widgets/chat-view-network-access-manager.h
+@@ -33,6 +33,7 @@ public:
+ 
+ protected:
+       virtual QNetworkReply * createRequest(Operation operation, const 
QNetworkRequest &request, QIODevice *device);
++
+ };
+ 
+ #endif // CHAT_VIEW_NETWORK_ACCESS_MANAGER
+Index: modules/sql_history/storage/history-sql-storage.cpp
+===================================================================
+--- modules/sql_history/storage/history-sql-storage.cpp.orig
++++ modules/sql_history/storage/history-sql-storage.cpp
+@@ -23,6 +23,7 @@
+  */
+ 
+ #include <QtCore/QDir>
++#include <QtGui/QTextDocument>
+ #include <QtSql/QSqlError>
+ #include <QtSql/QSqlRecord>
+ 
+@@ -991,6 +992,20 @@ void HistorySqlStorage::executeQuery(QSq
+       kdebugm(KDEBUG_INFO, "db query: %s\n", 
qPrintable(query.executedQuery()));
+ }
+ 
++QString HistorySqlStorage::stripAllScriptTags(const QString &string)
++{
++      QString beforeReplace = string;
++      QString afterReplace = beforeReplace;
++
++      afterReplace.replace("<script", "", Qt::CaseInsensitive);
++      while (beforeReplace != afterReplace)
++      {
++              beforeReplace = afterReplace;
++              afterReplace.replace("<script", "", Qt::CaseInsensitive);
++      }
++
++      return afterReplace;
++}
+ 
+ QList<Message> HistorySqlStorage::messagesFromQuery(QSqlQuery &query)
+ {
+@@ -1014,7 +1029,7 @@ QList<Message> HistorySqlStorage::messag
+               message.setMessageChat(chat);
+               message.setType(type);
+               message.setMessageSender(sender);
+-              message.setContent(query.value(2).toString());
++              
message.setContent(stripAllScriptTags(query.value(2).toString()));
+               message.setSendDate(query.value(3).toDateTime());
+               message.setReceiveDate(query.value(4).toDateTime());
+               message.setStatus(outgoing ? Message::StatusDelivered : 
Message::StatusReceived);
+@@ -1038,7 +1053,7 @@ QList<TimedStatus> HistorySqlStorage::st
+ 
+               Status status;
+               status.setType(query.value(1).toString());
+-              status.setDescription(query.value(2).toString());
++              status.setDescription(Qt::escape(query.value(2).toString()));
+ 
+               TimedStatus timedStatus(status, query.value(3).toDateTime());
+ 
+@@ -1059,7 +1074,7 @@ QList<Message> HistorySqlStorage::smsFro
+               message.setType(Message::TypeSystem);
+               message.setReceiveDate(query.value(1).toDateTime());
+               message.setSendDate(query.value(1).toDateTime());
+-              message.setContent(query.value(0).toString());
++              message.setContent(Qt::escape(query.value(0).toString()));
+ 
+               messages.append(message);
+       }
+Index: modules/sql_history/storage/history-sql-storage.h
+===================================================================
+--- modules/sql_history/storage/history-sql-storage.h.orig
++++ modules/sql_history/storage/history-sql-storage.h
+@@ -60,6 +60,8 @@ class HistorySqlStorage : public History
+       QString chatWhere(const Chat &chat);
+       QString buddyContactsWhere(const Buddy &buddy);
+ 
++      static QString stripAllScriptTags(const QString &string);
++
+       void executeQuery(QSqlQuery &query);
+       QList<Message> messagesFromQuery(QSqlQuery &query);
+       QList<TimedStatus> statusesFromQuery(QSqlQuery query);


To REVIEW against the previous version:
   osc request show --diff 107054

To ACCEPT the request:
   osc request accept 107054 --message="reviewed ok."
   
To DECLINE the request:
   osc request decline 107054 --message="declined for reason xyz (see ... for 
background / policy / ...)."

To REVOKE the request:
   osc request revoke 107054 --message="retracted because ..., sorry / thx / 
see better version ..."
-- 
Hermes messaging (http://hermes.opensuse.org)
openSUSE Build Service (https://build.opensuse.org/)
Collaboration: http://en.opensuse.org/Build_Service/Collaboration

-- 
To unsubscribe, e-mail: opensuse-contrib+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-contrib+owner@xxxxxxxxxxxx