home:Fisiu:branches:openSUSE:11.4:Contrib/kadu-qt4 -> openSUSE:11.4:Contrib/kadu-qt4 https://build.opensuse.org/request/show/107054 Description: - Security fix: inject js code into history. Fix bnc#749036. changes files: -------------- --- kadu.changes +++ kadu.changes @@ -1,0 +2,5 @@ +Sun Feb 26 11:36:07 UTC 2012 - fisiu@opensuse.org + +- Security fix: inject js code into history. Fix bnc#749036. + +------------------------------------------------------------------- new: ---- kadu-inject-js-into-history-fix.patch spec files: ----------- --- kadu.spec +++ kadu.spec @@ -26,6 +26,8 @@ Url: http://www.kadu.net/ Group: Productivity/Networking/Instant Messenger Source0: kadu-0.9.2.tar.bz2 +# PATCH-FIX-UPSTREAM -- kadu-inject-js-into-history-fix.patch -- Rafał Malinowski <rafal.przemyslaw.malinowski@gmail.com> +Patch0: kadu-inject-js-into-history-fix.patch ### 1x - External Modules ### Source10: anonymous_check-0.6.6.1.tar.bz2 Source11: globalhotkeys-0.6.6-22.tar.gz @@ -239,7 +241,7 @@ ver=${ver:0:2}.${ver:2:1} sed -e "s:</b><br />: openSUSE $ver</b><br />:" -i kadu-core/gui/windows/about.cpp # apply patches -# none atm +%patch0 %build %ifarch x86_64 other changes: -------------- ++++++ kadu-inject-js-into-history-fix.patch (new) --- kadu-inject-js-into-history-fix.patch +++ kadu-inject-js-into-history-fix.patch @@ -0,0 +1,131 @@ +Index: kadu-core/gui/widgets/buddy-info-panel.cpp +=================================================================== +--- kadu-core/gui/widgets/buddy-info-panel.cpp.orig ++++ kadu-core/gui/widgets/buddy-info-panel.cpp +@@ -52,6 +52,11 @@ BuddyInfoPanel::BuddyInfoPanel(QWidget * + setAttribute(Qt::WA_OpaquePaintEvent, false); + + connect(BuddyPreferredManager::instance(), SIGNAL(buddyUpdated(Buddy&)), this, SLOT(buddyUpdated(Buddy&))); ++ ++ page()->currentFrame()->evaluateJavaScript( ++ "XMLHttpRequest.prototype.open = function() { return false; };" ++ "XMLHttpRequest.prototype.send = function() { return false; };" ++ ); + } + + BuddyInfoPanel::~BuddyInfoPanel() +Index: kadu-core/gui/widgets/chat-messages-view.cpp +=================================================================== +--- kadu-core/gui/widgets/chat-messages-view.cpp.orig ++++ kadu-core/gui/widgets/chat-messages-view.cpp +@@ -62,6 +62,11 @@ ChatMessagesView::ChatMessagesView(const + settings()->setAttribute(QWebSettings::JavascriptEnabled, true); + settings()->setAttribute(QWebSettings::PluginsEnabled, true); + ++ page()->currentFrame()->evaluateJavaScript( ++ "XMLHttpRequest.prototype.open = function() { return false; };" ++ "XMLHttpRequest.prototype.send = function() { return false; };" ++ ); ++ + connectChat(); + + connect(this->page()->mainFrame(), SIGNAL(contentsSizeChanged(const QSize &)), this, SLOT(scrollToBottom())); +Index: kadu-core/gui/widgets/chat-view-network-access-manager.cpp +=================================================================== +--- kadu-core/gui/widgets/chat-view-network-access-manager.cpp.orig ++++ kadu-core/gui/widgets/chat-view-network-access-manager.cpp +@@ -36,6 +36,9 @@ ChatViewNetworkAccessManager::ChatViewNe + + QNetworkReply * ChatViewNetworkAccessManager::createRequest(QNetworkAccessManager::Operation operation, const QNetworkRequest &request, QIODevice *device) + { ++ if (QNetworkAccessManager::GetOperation != operation && QNetworkAccessManager::HeadOperation != operation) ++ operation = QNetworkAccessManager::GetOperation; ++ + if (request.url().scheme() != "kaduimg") + return QNetworkAccessManager::createRequest(operation, request, device); + +Index: kadu-core/gui/widgets/chat-view-network-access-manager.h +=================================================================== +--- kadu-core/gui/widgets/chat-view-network-access-manager.h.orig ++++ kadu-core/gui/widgets/chat-view-network-access-manager.h +@@ -33,6 +33,7 @@ public: + + protected: + virtual QNetworkReply * createRequest(Operation operation, const QNetworkRequest &request, QIODevice *device); ++ + }; + + #endif // CHAT_VIEW_NETWORK_ACCESS_MANAGER +Index: modules/sql_history/storage/history-sql-storage.cpp +=================================================================== +--- modules/sql_history/storage/history-sql-storage.cpp.orig ++++ modules/sql_history/storage/history-sql-storage.cpp +@@ -23,6 +23,7 @@ + */ + + #include <QtCore/QDir> ++#include <QtGui/QTextDocument> + #include <QtSql/QSqlError> + #include <QtSql/QSqlRecord> + +@@ -991,6 +992,20 @@ void HistorySqlStorage::executeQuery(QSq + kdebugm(KDEBUG_INFO, "db query: %s\n", qPrintable(query.executedQuery())); + } + ++QString HistorySqlStorage::stripAllScriptTags(const QString &string) ++{ ++ QString beforeReplace = string; ++ QString afterReplace = beforeReplace; ++ ++ afterReplace.replace("<script", "", Qt::CaseInsensitive); ++ while (beforeReplace != afterReplace) ++ { ++ beforeReplace = afterReplace; ++ afterReplace.replace("<script", "", Qt::CaseInsensitive); ++ } ++ ++ return afterReplace; ++} + + QList<Message> HistorySqlStorage::messagesFromQuery(QSqlQuery &query) + { +@@ -1014,7 +1029,7 @@ QList<Message> HistorySqlStorage::messag + message.setMessageChat(chat); + message.setType(type); + message.setMessageSender(sender); +- message.setContent(query.value(2).toString()); ++ message.setContent(stripAllScriptTags(query.value(2).toString())); + message.setSendDate(query.value(3).toDateTime()); + message.setReceiveDate(query.value(4).toDateTime()); + message.setStatus(outgoing ? Message::StatusDelivered : Message::StatusReceived); +@@ -1038,7 +1053,7 @@ QList<TimedStatus> HistorySqlStorage::st + + Status status; + status.setType(query.value(1).toString()); +- status.setDescription(query.value(2).toString()); ++ status.setDescription(Qt::escape(query.value(2).toString())); + + TimedStatus timedStatus(status, query.value(3).toDateTime()); + +@@ -1059,7 +1074,7 @@ QList<Message> HistorySqlStorage::smsFro + message.setType(Message::TypeSystem); + message.setReceiveDate(query.value(1).toDateTime()); + message.setSendDate(query.value(1).toDateTime()); +- message.setContent(query.value(0).toString()); ++ message.setContent(Qt::escape(query.value(0).toString())); + + messages.append(message); + } +Index: modules/sql_history/storage/history-sql-storage.h +=================================================================== +--- modules/sql_history/storage/history-sql-storage.h.orig ++++ modules/sql_history/storage/history-sql-storage.h +@@ -60,6 +60,8 @@ class HistorySqlStorage : public History + QString chatWhere(const Chat &chat); + QString buddyContactsWhere(const Buddy &buddy); + ++ static QString stripAllScriptTags(const QString &string); ++ + void executeQuery(QSqlQuery &query); + QList<Message> messagesFromQuery(QSqlQuery &query); + QList<TimedStatus> statusesFromQuery(QSqlQuery query); To REVIEW against the previous version: osc request show --diff 107054 To ACCEPT the request: osc request accept 107054 --message="reviewed ok." To DECLINE the request: osc request decline 107054 --message="declined for reason xyz (see ... for background / policy / ...)." To REVOKE the request: osc request revoke 107054 --message="retracted because ..., sorry / thx / see better version ..." -- Hermes messaging (http://hermes.opensuse.org) openSUSE Build Service (https://build.opensuse.org/) Collaboration: http://en.opensuse.org/Build_Service/Collaboration -- To unsubscribe, e-mail: opensuse-contrib+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-contrib+owner@opensuse.org