From e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Mon Sep 17 00:00:00 2001 From: Nick Wellnhofer Date: Sun, 24 Mar 2019 09:51:39 +0100 Subject: [PATCH] Fix security framework bypass xsltCheckRead and xsltCheckWrite return -1 in case of error but callers don't check for this condition and allow access. With a specially crafted URL, xsltCheckRead could be tricked into returning an error because of a supposedly invalid URL that would still be loaded succesfully later on. Fixes #12. Thanks to Felix Wilhelm for the report. --- libxslt/documents.c | 18 ++++++++++-------- libxslt/imports.c | 9 +++++---- libxslt/transform.c | 9 +++++---- libxslt/xslt.c | 9 +++++---- 4 files changed, 25 insertions(+), 20 deletions(-) --- a/libxslt/documents.c +++ b/libxslt/documents.c @@ -296,10 +296,11 @@ xsltLoadDocument(xsltTransformContextPtr int res; res = xsltCheckRead(ctxt->sec, ctxt, URI); - if (res == 0) { - xsltTransformError(ctxt, NULL, NULL, - "xsltLoadDocument: read rights for %s denied\n", - URI); + if (res <= 0) { + if (res == 0) + xsltTransformError(ctxt, NULL, NULL, + "xsltLoadDocument: read rights for %s denied\n", + URI); return(NULL); } } @@ -372,10 +373,11 @@ xsltLoadStyleDocument(xsltStylesheetPtr int res; res = xsltCheckRead(sec, NULL, URI); - if (res == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsltLoadStyleDocument: read rights for %s denied\n", - URI); + if (res <= 0) { + if (res == 0) + xsltTransformError(NULL, NULL, NULL, + "xsltLoadStyleDocument: read rights for %s denied\n", + URI); return(NULL); } } --- a/libxslt/imports.c +++ b/libxslt/imports.c @@ -131,10 +131,11 @@ xsltParseStylesheetImport(xsltStylesheet int secres; secres = xsltCheckRead(sec, NULL, URI); - if (secres == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsl:import: read rights for %s denied\n", - URI); + if (secres <= 0) { + if (secres == 0) + xsltTransformError(NULL, NULL, NULL, + "xsl:import: read rights for %s denied\n", + URI); goto error; } } --- a/libxslt/transform.c +++ b/libxslt/transform.c @@ -3416,10 +3416,11 @@ xsltDocumentElem(xsltTransformContextPtr */ if (ctxt->sec != NULL) { ret = xsltCheckWrite(ctxt->sec, ctxt, filename); - if (ret == 0) { - xsltTransformError(ctxt, NULL, inst, - "xsltDocumentElem: write rights for %s denied\n", - filename); + if (ret <= 0) { + if (ret == 0) + xsltTransformError(ctxt, NULL, inst, + "xsltDocumentElem: write rights for %s denied\n", + filename); xmlFree(URL); xmlFree(filename); return; --- a/libxslt/xslt.c +++ b/libxslt/xslt.c @@ -6729,10 +6729,11 @@ xsltParseStylesheetFile(const xmlChar* f int res; res = xsltCheckRead(sec, NULL, filename); - if (res == 0) { - xsltTransformError(NULL, NULL, NULL, - "xsltParseStylesheetFile: read rights for %s denied\n", - filename); + if (res <= 0) { + if (res == 0) + xsltTransformError(NULL, NULL, NULL, + "xsltParseStylesheetFile: read rights for %s denied\n", + filename); return(NULL); } }