TDE
/
tdelibs
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/tdelibs
0
0
Fork 0
Code Issues Releases Wiki Activity

Fix possible DOS in konqueror (CVE-2009-2537)

Browse Source
pull/16/head
Francois Andriot 12 years ago committed by Slávek Banko
parent a67a48107f
commit 89cfde63b8
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File

13
tdehtml/ecma/kjs_html.cpp
Unescape View File

@ -62,6 +62,9 @@
#include <kdebug.h> #include <kdebug.h>
// CVE-2009-2537 (vendors agreed on max 10000 elements)
#define MAX_SELECT_LENGTH 10000
namespace KJS { namespace KJS {
KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto) KJS_DEFINE_PROTOTYPE_WITH_PROTOTYPE(HTMLDocumentProto, DOMDocumentProto)
@ -2550,8 +2553,14 @@ void KJS::HTMLElement::putValueProperty(ExecState *exec, int token, const Value&
case SelectValue: { select.setValue(str); return; } case SelectValue: { select.setValue(str); return; }
case SelectLength: { // read-only according to the NS spec, but webpages need it writeable case SelectLength: { // read-only according to the NS spec, but webpages need it writeable
Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) ); Object coll = Object::dynamicCast( getSelectHTMLCollection(exec, select.options(), select) );
if ( coll.isValid() ) if ( coll.isValid() ) {
coll.put(exec,"length",value); if (value.toInteger(exec) >= MAX_SELECT_LENGTH) {
Object err = Error::create(exec, RangeError);
exec->setException(err);
} else {
coll.put(exec, "length", value);
}
}
return; return;
} }
// read-only: form // read-only: form

Write Preview
Loading…
Cancel
Save