diff options
Diffstat (limited to 'http/kazehakase/CVE-2007-1084.dpatch')
-rw-r--r-- | http/kazehakase/CVE-2007-1084.dpatch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/http/kazehakase/CVE-2007-1084.dpatch b/http/kazehakase/CVE-2007-1084.dpatch new file mode 100644 index 0000000000..cbfa22faa4 --- /dev/null +++ b/http/kazehakase/CVE-2007-1084.dpatch @@ -0,0 +1,35 @@ +#! /bin/sh /usr/share/dpatch/dpatch-run +## CVE-2007-1084.dpatch by Yavor Doganov <yavor@gnu.org> +## +## DP: Do not allow bookmarks with data:/javascript: URIs (CVE-2007-1084). + +@DPATCH@ +diff -urNad kazehakase-0.5.8~/src/actions/kz-actions.c kazehakase-0.5.8/src/actions/kz-actions.c +--- kazehakase-0.5.8~/src/actions/kz-actions.c 2009-12-07 19:04:58.000000000 +0200 ++++ kazehakase-0.5.8/src/actions/kz-actions.c 2009-12-07 19:08:12.000000000 +0200 +@@ -1010,6 +1010,25 @@ + + if (!uri) return; + ++ /* Refuse to add a bookmark if the URI is data:/javascript: ++ (CVE-2007-1084). */ ++ if (g_str_has_prefix(uri, "data:") ++ || g_str_has_prefix(uri, "javascript:")) ++ { ++ GtkWidget *dialog; ++ ++ dialog = gtk_message_dialog_new(NULL, ++ GTK_DIALOG_DESTROY_WITH_PARENT, ++ GTK_MESSAGE_WARNING, ++ GTK_BUTTONS_CLOSE, ++ _("Adding this bookmark is disallowed for security reasons.")); ++ gtk_window_set_title(GTK_WINDOW(dialog), ++ _("Security Warning")); ++ gtk_dialog_run(GTK_DIALOG(dialog)); ++ gtk_widget_destroy(dialog); ++ return; ++ } ++ + bookmark = kz_bookmark_new_with_attrs(title, uri, desc); + /* FIXME! show dialog */ + if (sibling) |