Fix from KDE security advisory 20100513-1.

6 files changed, 219 insertions, 2 deletions

diff --git a/net/kdenetwork4/Makefile b/net/kdenetwork4/Makefile
index 928bb8c85a4..495b666e749 100644
--- a/net/kdenetwork4/Makefile
+++ b/net/kdenetwork4/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.9 2010/05/08 22:13:57 markd Exp $
+# $NetBSD: Makefile,v 1.10 2010/05/16 21:21:39 markd Exp $
 
 DISTNAME=	kdenetwork-${_KDE_VERSION}
+PKGREVISION=	1
 CATEGORIES=	net
 COMMENT=	Network modules for the KDE integrated X11 desktop
 
diff --git a/net/kdenetwork4/distinfo b/net/kdenetwork4/distinfo
index a3b9d5fb530..d21245c3dfb 100644
--- a/net/kdenetwork4/distinfo
+++ b/net/kdenetwork4/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.8 2010/05/08 22:13:57 markd Exp $
+$NetBSD: distinfo,v 1.9 2010/05/16 21:21:39 markd Exp $
 
 SHA1 (kdenetwork-4.4.3.tar.bz2) = 67237e0142f5d4edc893a7dcafffa79f998c534e
 RMD160 (kdenetwork-4.4.3.tar.bz2) = 90814afa79a259ee36b82ae160b64fe79c90a837
@@ -7,3 +7,7 @@ SHA1 (patch-aa) = 0359cd86501c57197242c398d63c1fc77c60a4d0
 SHA1 (patch-ab) = 0743b3b6c994623c507b8bcd52ee01dad31cf56f
 SHA1 (patch-ae) = 765d48550d2d8b7a59a1593a669b0909fef3bd96
 SHA1 (patch-af) = fd916bd4d102ef44222842f4327061753d568906
+SHA1 (patch-ba) = d8991e4e80074b558614d353e5d35735124c19a5
+SHA1 (patch-bb) = d6fcd1b54d7bf7fd090184a8602689d25bf167ba
+SHA1 (patch-bc) = 2002a32d5076b566f4f0194b24403ad073251669
+SHA1 (patch-bd) = 7d1d880b7c54bd8c5af6bb5c9cd289a3348b7a92
diff --git a/net/kdenetwork4/patches/patch-ba b/net/kdenetwork4/patches/patch-ba
new file mode 100644
index 00000000000..4df3754af8f
--- /dev/null
+++ b/net/kdenetwork4/patches/patch-ba
@@ -0,0 +1,93 @@
+$NetBSD: patch-ba,v 1.1 2010/05/16 21:21:39 markd Exp $
+
+--- kget/transfer-plugins/metalink/metalink.cpp.orig	2010-04-29 19:58:02.000000000 +0000
++++ kget/transfer-plugins/metalink/metalink.cpp
+@@ -99,6 +99,7 @@ void Metalink::start()
+ void Metalink::metalinkInit(const KUrl &src, const QByteArray &data)
+ {
+     kDebug(5001);
++
+     bool justDownloaded = !m_localMetalinkLocation.isValid();
+     if (!src.isEmpty())
+     {
+@@ -121,7 +122,9 @@ void Metalink::metalinkInit(const KUrl &
+     //error
+     if (!m_metalink.isValid())
+     {
+-        kDebug(5001) << "Unknown error when trying to load the .metalink-file";
++        kError(5001) << "Unknown error when trying to load the .metalink-file. Metalink is not valid.";
++        setStatus(Job::Aborted);
++        setTransferChange(Tc_Status, true);
+         return;
+     }
+ 
+@@ -202,7 +205,7 @@ void Metalink::metalinkInit(const KUrl &
+     if (!m_dataSourceFactory.size())
+     {
+         KMessageBox::error(0, i18n("Download failed, no working URLs were found."), i18n("Error"));
+-        setStatus(Job::Aborted, i18n("An error occurred...."), SmallIcon("document-preview"));
++        setStatus(Job::Aborted);
+         setTransferChange(Tc_Status, true);
+         return;
+     }
+@@ -227,16 +230,29 @@ void Metalink::metalinkInit(const KUrl &
+         ui.treeView->hideColumn(FileItem::SignatureVerified);
+         dialog->setMainWidget(widget);
+         dialog->setCaption(i18n("File Selection"));
+-        dialog->setButtons(KDialog::Ok);
+-        connect(dialog, SIGNAL(finished()), this, SLOT(filesSelected()));
++        dialog->setButtons(KDialog::Ok | KDialog::Cancel);
++        connect(dialog, SIGNAL(finished(int)), this, SLOT(fileDlgFinished(int)));
+ 
+         dialog->show();
+     }
+ }
+ 
+-void Metalink::filesSelected()
++void Metalink::fileDlgFinished(int result)
+ {
++    //BEGIN HACK if the dialog was not accepted untick every file, so that the download does not start
++    //generally setStatus should do the job as well, but does not as it appears
++    if (result != QDialog::Accepted) {
++        for (int row = 0; row < fileModel()->rowCount(); ++row) {
++            QModelIndex index = fileModel()->index(row, FileItem::File);
++            if (index.isValid()) {
++                fileModel()->setData(index, Qt::Unchecked, Qt::CheckStateRole);
++            }
++        }
++    }
++    //END
++
+     QModelIndexList files = fileModel()->fileIndexes(FileItem::File);
++    int numFilesSelected = 0;
+     foreach (const QModelIndex &index, files)
+     {
+         const KUrl dest = fileModel()->getUrl(index);
+@@ -244,6 +260,9 @@ void Metalink::filesSelected()
+         if (m_dataSourceFactory.contains(dest))
+         {
+             m_dataSourceFactory[dest]->setDoDownload(doDownload);
++            if (doDownload) {
++                ++numFilesSelected;
++            }
+         }
+     }
+ 
+@@ -252,9 +271,15 @@ void Metalink::filesSelected()
+     processedSizeChanged();
+     speedChanged();
+ 
++    //no files selected to download or dialog rejected, stop the download
++    if (!numFilesSelected  || (result != QDialog::Accepted)) {
++         setStatus(Job::Stopped);//FIXME
++         setTransferChange(Tc_Status, true);
++        return;
++    }
++
+     //some files may be set to download, so start them as long as the transfer is not stopped
+-    if (status() != Job::Stopped)
+-    {
++    if (status() != Job::Stopped) {
+         startMetalink();
+     }
+ }
diff --git a/net/kdenetwork4/patches/patch-bb b/net/kdenetwork4/patches/patch-bb
new file mode 100644
index 00000000000..f43662d0beb
--- /dev/null
+++ b/net/kdenetwork4/patches/patch-bb
@@ -0,0 +1,13 @@
+$NetBSD: patch-bb,v 1.1 2010/05/16 21:21:39 markd Exp $
+
+--- kget/transfer-plugins/metalink/metalink.h.orig	2009-11-13 10:58:48.000000000 +0000
++++ kget/transfer-plugins/metalink/metalink.h
+@@ -81,7 +81,7 @@ class Metalink : public Transfer
+ 
+     private Q_SLOTS:
+         void metalinkInit(const KUrl &url = KUrl(), const QByteArray &data = QByteArray());
+-        void filesSelected();
++        void fileDlgFinished(int result);
+         void totalSizeChanged(KIO::filesize_t size);
+         void processedSizeChanged();
+         void speedChanged();
diff --git a/net/kdenetwork4/patches/patch-bc b/net/kdenetwork4/patches/patch-bc
new file mode 100644
index 00000000000..b74f15a4d3a
--- /dev/null
+++ b/net/kdenetwork4/patches/patch-bc
@@ -0,0 +1,19 @@
+$NetBSD: patch-bc,v 1.1 2010/05/16 21:21:39 markd Exp $
+
+--- kget/ui/metalinkcreator/metalinker.h.orig	2010-01-31 19:33:11.000000000 +0000
++++ kget/ui/metalinkcreator/metalinker.h
+@@ -259,6 +259,14 @@ class File
+         KIO::filesize_t size;
+         CommonData data;
+         Resources resources;
++
++    private:
++        /**
++         * Controlls if the name attribute is valid, i.e. it is not empty and
++         * does not contain any directory traversal directives or information,
++         * as described in the Metalink 4.0 specification 4.1.2.1.
++         */
++        bool isValidNameAttribute() const;
+ };
+ 
+ class Files
diff --git a/net/kdenetwork4/patches/patch-bd b/net/kdenetwork4/patches/patch-bd
new file mode 100644
index 00000000000..2ab39a58b21
--- /dev/null
+++ b/net/kdenetwork4/patches/patch-bd
@@ -0,0 +1,87 @@
+$NetBSD: patch-bd,v 1.1 2010/05/16 21:21:39 markd Exp $
+
+--- kget/ui/metalinkcreator/metalinker.cpp.orig	2010-01-31 19:33:11.000000000 +0000
++++ kget/ui/metalinkcreator/metalinker.cpp
+@@ -528,14 +528,14 @@ void KGetMetalink::Verification::clear()
+ 
+ bool KGetMetalink::File::isValid() const
+ {
+-    return !name.isEmpty() && resources.isValid();
++    return isValidNameAttribute() && resources.isValid();
+ }
+ 
+ void KGetMetalink::File::load(const QDomElement &e)
+ {
+     data.load(e);
+ 
+-    name = e.attribute("name");
++    name = QUrl::fromPercentEncoding(e.attribute("name").toAscii());
+     size = e.firstChildElement("size").text().toULongLong();
+ 
+     verification.load(e);
+@@ -575,6 +575,22 @@ void KGetMetalink::File::clear()
+     resources.clear();
+ }
+ 
++
++bool KGetMetalink::File::isValidNameAttribute() const
++{
++    if (name.isEmpty()) {
++        kError(5001) << "Name attribute of Metalink::File is empty.";
++        return false;
++    }
++
++    if (name.contains(QRegExp("$(\\.\\.?)?/")) || name.contains("/../") || name.endsWith("/..")) {
++        kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << name;
++        return false;
++    }
++
++    return true;
++}
++
+ #ifdef HAVE_NEPOMUK
+ QHash<QUrl, Nepomuk::Variant> KGetMetalink::File::properties() const
+ {
+@@ -584,13 +600,28 @@ QHash<QUrl, Nepomuk::Variant> KGetMetali
+ 
+ bool KGetMetalink::Files::isValid() const
+ {
+-    bool isValid = !files.empty();
+-    foreach (const File &file, files)
+-    {
+-        isValid &= file.isValid();
++    if (files.isEmpty()) {
++        return false;
++    }
++
++    QStringList fileNames;
++    foreach (const File &file, files) {
++        fileNames << file.name;
++        if (!file.isValid()) {
++            return false;
++        }
+     }
+ 
+-    return isValid;
++    //The value of name must be unique for each file
++    while (!fileNames.isEmpty()) {
++        const QString fileName = fileNames.takeFirst();
++        if (fileNames.contains(fileName)) {
++            kError(5001) << "Metalink::File name" << fileName << "exists multiple times.";
++            return false;
++        }
++    }
++
++    return true;
+ }
+ 
+ void KGetMetalink::Files::load(const QDomElement &e)
+@@ -751,7 +782,7 @@ void KGetMetalink::Metalink_v3::parseFil
+ 
+     for (QDomElement elem = filesElem.firstChildElement("file"); !elem.isNull(); elem = elem.nextSiblingElement("file")) {
+         File file;
+-        file.name = elem.attribute("name");
++        file.name = QUrl::fromPercentEncoding(elem.attribute("name").toAscii());
+         file.size = elem.firstChildElement("size").text().toULongLong();
+ 
+         file.data = parseCommonData(elem);