File kget43_CVE-2010-1000-r1126227.diff of Package kdenetwork4

Index: kget/transfer-plugins/metalink/metalinker.h
===================================================================
--- kget/transfer-plugins/metalink/metalinker.h	(revision 1126226)
+++ kget/transfer-plugins/metalink/metalinker.h	(working copy)
@@ -1,6 +1,7 @@
 /* This file is part of the KDE project
 
    Copyright (C) 2007 Manolo Valdes <nolis71cu@gmail.com>
+   Copyright (C) 2010 Matthias Fuchs <mat69@gmx.net>
 
    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public
@@ -18,6 +19,14 @@ class MlinkFileData
 {
     public:
         MlinkFileData() {}
+
+        /**
+         * Controlls if the name attribute is valid, i.e. it is not empty and
+         * does not contain any directory traversal directives or information
+         * In case of faulty fileNames the MlinkFile gets discarded
+         */
+        bool isValidNameAttribute() const;
+
         QString fileName;
         QString md5;
         QString sha256;
Index: kget/transfer-plugins/metalink/metalinker.cpp
===================================================================
--- kget/transfer-plugins/metalink/metalinker.cpp	(revision 1126226)
+++ kget/transfer-plugins/metalink/metalinker.cpp	(working copy)
@@ -1,6 +1,7 @@
 /* This file is part of the KDE project
 
    Copyright (C) 2007 Manolo Valdes <nolis71cu@gmail.com>
+   Copyright (C) 2010 Matthias Fuchs <mat69@gmx.net>
 
    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public
@@ -16,6 +17,23 @@
 
 #include <QDomElement>
 
+bool MlinkFileData::isValidNameAttribute() const
+{
+    if (fileName.isEmpty()) {
+        kError(5001) << "Name attribute of Metalink::File is empty.";
+        return false;
+    }
+
+    QStringList components = fileName.split('/');
+
+    if (fileName.startsWith("/") || components.contains("..")) {
+        kError(5001) << "Name attribute of Metalink::File contains directory traversal directives:" << fileName;
+        return false;
+    }
+
+    return true;
+}
+
 Metalinker::Metalinker()
 {
 }
@@ -36,12 +54,24 @@ QList<MlinkFileData> Metalinker::parseMe
 
     kDebug(5001) << files.length() << " <file> tags found";
 
+    QStringList fileNames;
     for( uint i=0 ; i < files.length() ; ++i )
     {
         QDomNode file = files.item(i);
         MlinkFileData data;
-        data.fileName = file.toElement().attribute("name");
+        data.fileName = QUrl::fromPercentEncoding(file.toElement().attribute("name").toAscii());
         kDebug(5001) << "filename: "<< data.fileName;
+        if (!data.isValidNameAttribute()) {
+            fileData.clear();
+            return fileData;
+        }
+
+        if (fileNames.contains(data.fileName)) {
+            kError(5001) << "Metalink::File name" << data.fileName << "exists multiple times.";
+            fileData.clear();
+            return fileData;
+        }
+        fileNames << data.fileName;
 
         QDomNodeList hashes = file.toElement().
             elementsByTagName("verification").