From 7f1e3c31018a8914af99fa3a9ff05a811ea29f52 Mon Sep 17 00:00:00 2001 From: Daniel Veillard <veillard@redhat.com> Date: Tue, 22 Feb 2011 10:14:23 +0800 Subject: [PATCH] Fix generate-id() to not expose object addresses To: libvir-list@redhat.com For https://bugzilla.redhat.com/show_bug.cgi?id=684386 CVE-2011-1202 As pointed out by Chris Evans <scarybeasts@gmail.com> it's better security wise to not expose object addresses directly, use a diff w.r.t. the document root own address to avoid this * libxslt/functions.c: fix IDs generation code Signed-off-by: Daniel Veillard <veillard@redhat.com> --- libxslt/functions.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/libxslt/functions.c b/libxslt/functions.c index 4720c7a..de962f4 100644 --- a/libxslt/functions.c +++ b/libxslt/functions.c @@ -654,8 +654,9 @@ xsltFormatNumberFunction(xmlXPathParserContextPtr ctxt, int nargs) void xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ xmlNodePtr cur = NULL; - unsigned long val; - xmlChar str[20]; + long val; + xmlChar str[30]; + xmlDocPtr doc; if (nargs == 0) { cur = ctxt->context->node; @@ -694,9 +695,24 @@ xsltGenerateIdFunction(xmlXPathParserContextPtr ctxt, int nargs){ * Okay this is ugly but should work, use the NodePtr address * to forge the ID */ - val = (unsigned long)((char *)cur - (char *)0); - val /= sizeof(xmlNode); - sprintf((char *)str, "id%ld", val); + if (cur->type != XML_NAMESPACE_DECL) + doc = cur->doc; + else { + xmlNsPtr ns = (xmlNsPtr) cur; + + if (ns->context != NULL) + doc = ns->context; + else + doc = ctxt->context->doc; + + } + + val = (long)((char *)cur - (char *)doc); + if (val >= 0) { + sprintf((char *)str, "idp%ld", val); + } else { + sprintf((char *)str, "idm%ld", -val); + } valuePush(ctxt, xmlXPathNewString(str)); } -- 1.7.11.4