Changeset 79159 in webkit


Ignore:
Timestamp:
Feb 20, 2011, 5:07:34 PM (14 years ago)
Author:
ap@apple.com
Message:

Reviewed by Eric Seidel.

Tighten up access permissions by using libxslt API
https://bugs.webkit.org/show_bug.cgi?id=52688
<rdar://problem/8909191>

  • xml/XSLTProcessorLibxslt.cpp: (WebCore::XSLTProcessor::transformToString): We are only interested in a string result, so let libxslt know about that.
Location:
trunk/Source/WebCore
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • trunk/Source/WebCore/ChangeLog

    r79158 r79159  
     12011-02-20  Alexey Proskuryakov  <ap@apple.com>
     2
     3        Reviewed by Eric Seidel.
     4
     5        Tighten up access permissions by using libxslt API
     6        https://bugs.webkit.org/show_bug.cgi?id=52688
     7        <rdar://problem/8909191>
     8
     9        * xml/XSLTProcessorLibxslt.cpp: (WebCore::XSLTProcessor::transformToString): We are only
     10        interested in a string result, so let libxslt know about that.
     11
    1122011-02-20  Sheriff Bot  <webkit.review.bot@gmail.com>
    213
  • trunk/Source/WebCore/xml/XSLTProcessorLibxslt.cpp

    r74049 r79159  
    4242#include "markup.h"
    4343#include <libxslt/imports.h>
     44#include <libxslt/security.h>
    4445#include <libxslt/variables.h>
    4546#include <libxslt/xsltutils.h>
     
    6263SOFT_LINK(libxslt, xsltSaveResultTo, int, (xmlOutputBufferPtr buf, xmlDocPtr result, xsltStylesheetPtr style), (buf, result, style))
    6364SOFT_LINK(libxslt, xsltNextImport, xsltStylesheetPtr, (xsltStylesheetPtr style), (style))
     65SOFT_LINK(libxslt, xsltNewSecurityPrefs, xsltSecurityPrefsPtr, (), ())
     66SOFT_LINK(libxslt, xsltFreeSecurityPrefs, void, (xsltSecurityPrefsPtr sec), (sec))
     67SOFT_LINK(libxslt, xsltSetSecurityPrefs, int, (xsltSecurityPrefsPtr sec, xsltSecurityOption option, xsltSecurityCheck func), (sec, option, func))
     68SOFT_LINK(libxslt, xsltSetCtxtSecurityPrefs, int, (xsltSecurityPrefsPtr sec, xsltTransformContextPtr ctxt), (sec, ctxt))
     69SOFT_LINK(libxslt, xsltSecurityForbid, int, (xsltSecurityPrefsPtr sec, xsltTransformContextPtr ctxt, const char* value), (sec, ctxt, value))
     70
    6471#endif
    6572
     
    316323        registerXSLTExtensions(transformContext);
    317324
     325        xsltSecurityPrefsPtr securityPrefs = xsltNewSecurityPrefs();
     326        // Read permissions are checked by docLoaderFunc.
     327        if (0 != xsltSetSecurityPrefs(securityPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid))
     328            CRASH();
     329        if (0 != xsltSetSecurityPrefs(securityPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid))
     330            CRASH();
     331        if (0 != xsltSetSecurityPrefs(securityPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid))
     332            CRASH();
     333        if (0 != xsltSetCtxtSecurityPrefs(securityPrefs, transformContext))
     334            CRASH();
     335
    318336        // <http://bugs.webkit.org/show_bug.cgi?id=16077>: XSLT processor <xsl:sort> algorithm only compares by code point.
    319337        xsltSetCtxtSortFunc(transformContext, xsltUnicodeSortFunction);
     
    329347
    330348        xsltFreeTransformContext(transformContext);
     349        xsltFreeSecurityPrefs(securityPrefs);
    331350        freeXsltParamArray(params);
    332351
Note: See TracChangeset for help on using the changeset viewer.