Commit e0355360 authored by Nick Wellnhofer's avatar Nick Wellnhofer

Fix security framework bypass

xsltCheckRead and xsltCheckWrite return -1 in case of error but callers
don't check for this condition and allow access. With a specially
crafted URL, xsltCheckRead could be tricked into returning an error
because of a supposedly invalid URL that would still be loaded
succesfully later on.

Fixes #12.

Thanks to Felix Wilhelm for the report.
parent eb48a900
......@@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) {
int res;
res = xsltCheckRead(ctxt->sec, ctxt, URI);
if (res == 0) {
xsltTransformError(ctxt, NULL, NULL,
"xsltLoadDocument: read rights for %s denied\n",
URI);
if (res <= 0) {
if (res == 0)
xsltTransformError(ctxt, NULL, NULL,
"xsltLoadDocument: read rights for %s denied\n",
URI);
return(NULL);
}
}
......@@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) {
int res;
res = xsltCheckRead(sec, NULL, URI);
if (res == 0) {
xsltTransformError(NULL, NULL, NULL,
"xsltLoadStyleDocument: read rights for %s denied\n",
URI);
if (res <= 0) {
if (res == 0)
xsltTransformError(NULL, NULL, NULL,
"xsltLoadStyleDocument: read rights for %s denied\n",
URI);
return(NULL);
}
}
......
......@@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) {
int secres;
secres = xsltCheckRead(sec, NULL, URI);
if (secres == 0) {
xsltTransformError(NULL, NULL, NULL,
"xsl:import: read rights for %s denied\n",
URI);
if (secres <= 0) {
if (secres == 0)
xsltTransformError(NULL, NULL, NULL,
"xsl:import: read rights for %s denied\n",
URI);
goto error;
}
}
......
......@@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node,
*/
if (ctxt->sec != NULL) {
ret = xsltCheckWrite(ctxt->sec, ctxt, filename);
if (ret == 0) {
xsltTransformError(ctxt, NULL, inst,
"xsltDocumentElem: write rights for %s denied\n",
filename);
if (ret <= 0) {
if (ret == 0)
xsltTransformError(ctxt, NULL, inst,
"xsltDocumentElem: write rights for %s denied\n",
filename);
xmlFree(URL);
xmlFree(filename);
return;
......
......@@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) {
int res;
res = xsltCheckRead(sec, NULL, filename);
if (res == 0) {
xsltTransformError(NULL, NULL, NULL,
"xsltParseStylesheetFile: read rights for %s denied\n",
filename);
if (res <= 0) {
if (res == 0)
xsltTransformError(NULL, NULL, NULL,
"xsltParseStylesheetFile: read rights for %s denied\n",
filename);
return(NULL);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment