From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sun, 24 Mar 2019 09:51:39 +0100 Subject: [PATCH] Fix security framework bypass xsltCheckRead and xsltCheckWrite return -1 in case of error but callers don't check for this condition and allow access. With a specially crafted URL, xsltCheckRead could be tricked into returning an error because of a supposedly invalid URL that would still be loaded succesfully later on. Fixes #12. Thanks to Felix Wilhelm for the report. --- libxslt/documents.c | 18 ++++++++++-------- libxslt/imports.c | 9 +++++---- libxslt/transform.c | 9 +++++---- libxslt/xslt.c | 9 +++++---- 4 files changed, 25 insertions(+), 20 deletions(-) diff --git a/libxslt/documents.c b/libxslt/documents.c index 3f3a7312..4aad11bb 100644 --- a/libxslt/documents.c +++ b/libxslt/documents.c @@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr ctxt, const xmlChar *URI) { int res; res = xsltCheckRead(ctxt->sec, ctxt, URI); - if (res == 0) { - xsltTransformError(ctxt, NULL, NULL, - "xsltLoadDocument: read rights for %s denied\n", - URI); + if (res <= 0) { + if (res == 0) + xsltTransformError(ctxt, NULL, NULL, + "xsltLoadDocument: read rights for %s denied\n", + URI); return(NULL); } } @@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr style, const xmlChar *URI) { int res; res = xsltCheckRead(sec, NULL, URI); - if (res == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsltLoadStyleDocument: read rights for %s denied\n", - URI); + if (res <= 0) { + if (res == 0) + xsltTransformError(NULL, NULL, NULL, + "xsltLoadStyleDocument: read rights for %s denied\n", + URI); return(NULL); } } diff --git a/libxslt/imports.c b/libxslt/imports.c index 874870cc..3783b247 100644 --- a/libxslt/imports.c +++ b/libxslt/imports.c @@ -130,10 +130,11 @@ xsltParseStylesheetImport(xsltStylesheetPtr style, xmlNodePtr cur) { int secres; secres = xsltCheckRead(sec, NULL, URI); - if (secres == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsl:import: read rights for %s denied\n", - URI); + if (secres <= 0) { + if (secres == 0) + xsltTransformError(NULL, NULL, NULL, + "xsl:import: read rights for %s denied\n", + URI); goto error; } } diff --git a/libxslt/transform.c b/libxslt/transform.c index 13793914..0636dbd0 100644 --- a/libxslt/transform.c +++ b/libxslt/transform.c @@ -3493,10 +3493,11 @@ xsltDocumentElem(xsltTransformContextPtr ctxt, xmlNodePtr node, */ if (ctxt->sec != NULL) { ret = xsltCheckWrite(ctxt->sec, ctxt, filename); - if (ret == 0) { - xsltTransformError(ctxt, NULL, inst, - "xsltDocumentElem: write rights for %s denied\n", - filename); + if (ret <= 0) { + if (ret == 0) + xsltTransformError(ctxt, NULL, inst, + "xsltDocumentElem: write rights for %s denied\n", + filename); xmlFree(URL); xmlFree(filename); return; diff --git a/libxslt/xslt.c b/libxslt/xslt.c index 780a5ad7..a234eb79 100644 --- a/libxslt/xslt.c +++ b/libxslt/xslt.c @@ -6763,10 +6763,11 @@ xsltParseStylesheetFile(const xmlChar* filename) { int res; res = xsltCheckRead(sec, NULL, filename); - if (res == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsltParseStylesheetFile: read rights for %s denied\n", - filename); + if (res <= 0) { + if (res == 0) + xsltTransformError(NULL, NULL, NULL, + "xsltParseStylesheetFile: read rights for %s denied\n", + filename); return(NULL); } } -- 2.18.1