From f03cb6720e8fcdbaad86893dfcd327baccdf9cac Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Kornel=20Lesi=C5=84ski?= <kornel@geekhood.net>
Date: Wed, 20 Jan 2016 11:44:39 +0100
Subject: [PATCH] contrib/sparkle: secure updates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Felix Paul Kühne <fkuehne@videolan.org>
---
contrib/src/sparkle/rules.mak | 2 ++
...ts-to-non-HTTP-URLs-in-release-notes.patch | 20 +++++++++++++++++++
...n-of-local-files-via-file-XML-entiti.patch | 12 +++++++++++
3 files changed, 34 insertions(+)
create mode 100644 contrib/src/sparkle/sparkle-disable-redirects-to-non-HTTP-URLs-in-release-notes.patch
create mode 100644 contrib/src/sparkle/sparkle-prevent-inclusion-of-local-files-via-file-XML-entiti.patch
diff --git a/contrib/src/sparkle/rules.mak b/contrib/src/sparkle/rules.mak
index 41459aeb9bf8..0b758a7c18dd 100644
--- a/contrib/src/sparkle/rules.mak
+++ b/contrib/src/sparkle/rules.mak
@@ -16,6 +16,8 @@ sparkle: Sparkle-$(SPARKLE_VERSION).zip .sum-sparkle
$(UNPACK)
$(APPLY) $(SRC)/sparkle/sparkle-fix-compilation-on-snowleopard.patch
$(APPLY) $(SRC)/sparkle/sparkle-fix-runtime-exception-on-snowleopard.patch
+ $(APPLY) $(SRC)/sparkle/sparkle-disable-redirects-to-non-HTTP-URLs-in-release-notes.patch
+ $(APPLY) $(SRC)/sparkle/sparkle-prevent-inclusion-of-local-files-via-file-XML-entiti.patch
$(MOVE)
.sparkle: sparkle
diff --git a/contrib/src/sparkle/sparkle-disable-redirects-to-non-HTTP-URLs-in-release-notes.patch b/contrib/src/sparkle/sparkle-disable-redirects-to-non-HTTP-URLs-in-release-notes.patch
new file mode 100644
index 000000000000..d3eaf3d72ae8
--- /dev/null
+++ b/contrib/src/sparkle/sparkle-disable-redirects-to-non-HTTP-URLs-in-release-notes.patch
@@ -0,0 +1,20 @@
+diff -ru Sparkle-1.6.1/SUUpdateAlert.m Sparkle-1.6.1-fixed/SUUpdateAlert.m
+--- Sparkle-1.6.1/SUUpdateAlert.m 2014-04-26 00:22:59.000000000 +0200
++++ Sparkle-1.6.1-fixed/SUUpdateAlert.m 2016-01-20 11:38:47.000000000 +0100
+@@ -313,6 +313,16 @@
+
+ - (void)webView:sender decidePolicyForNavigationAction:(NSDictionary *)actionInformation request:(NSURLRequest *)request frame:frame decisionListener:listener
+ {
++ NSURL *requestURL = request.URL;
++ NSString *scheme = requestURL.scheme;
++ BOOL whitelistedSafe = [@"http" isEqualToString:scheme] || [@"https" isEqualToString:scheme] || [@"about:blank" isEqualToString:requestURL.absoluteString];
++
++ // Do not allow redirects to dangerous protocols such as file://
++ if (!whitelistedSafe) {
++ [listener ignore];
++ return;
++ }
++
+ if (webViewFinishedLoading) {
+ [[NSWorkspace sharedWorkspace] openURL:[request URL]];
+
diff --git a/contrib/src/sparkle/sparkle-prevent-inclusion-of-local-files-via-file-XML-entiti.patch b/contrib/src/sparkle/sparkle-prevent-inclusion-of-local-files-via-file-XML-entiti.patch
new file mode 100644
index 000000000000..bcfe595ed707
--- /dev/null
+++ b/contrib/src/sparkle/sparkle-prevent-inclusion-of-local-files-via-file-XML-entiti.patch
@@ -0,0 +1,12 @@
+diff -ru Sparkle-1.6.1/SUAppcast.m Sparkle-1.6.1-fixed/SUAppcast.m
+--- Sparkle-1.6.1/SUAppcast.m 2016-01-20 11:39:11.000000000 +0100
++++ Sparkle-1.6.1-fixed/SUAppcast.m 2016-01-20 11:40:53.000000000 +0100
+@@ -92,7 +92,7 @@
+
+ if (downloadFilename)
+ {
+- NSUInteger options = NSXMLDocumentTidyXML;
++ NSUInteger options = NSXMLDocumentTidyXML | NSXMLNodeLoadExternalEntitiesNever;
+ document = [[[NSXMLDocument alloc] initWithContentsOfURL:[NSURL fileURLWithPath:downloadFilename] options:options error:&error] autorelease];
+
+ [[NSFileManager defaultManager] removeItemAtPath:downloadFilename error:nil];
--
GitLab