From 56ed00d163a2ac61e2592fadeac59d7321146f4f Mon Sep 17 00:00:00 2001
From: Than Ngo <than@fedoraproject.org>
Date: May 06 2010 16:04:28 +0000
Subject: - bz#589169, fix multiple flaws in webkit CVE-2010-0047, CVE-2010-0648,

    CVE-2010-0656

---

diff --git a/qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch b/qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch
new file mode 100644
index 0000000..e39290c
--- /dev/null
+++ b/qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch
@@ -0,0 +1,18 @@
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp.cve-2010-0047-call-after-free qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp.cve-2010-0047-call-after-free	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/FrameLoader.cpp	2010-05-06 12:21:13.852469331 +0200
+@@ -1260,9 +1260,11 @@ bool FrameLoader::requestObject(RenderPa
+ 
+     ASSERT(renderer->node()->hasTagName(objectTag) || renderer->node()->hasTagName(embedTag));
+     HTMLPlugInElement* element = static_cast<HTMLPlugInElement*>(renderer->node());
+-    
+-    // FIXME: OK to always make a new frame? When does the old frame get removed?
+-    return loadSubframe(element, completedURL, frameName, m_outgoingReferrer);
++
++    // If the plug-in element already contains a subframe, requestFrame will re-use it. Otherwise,
++    // it will create a new frame and set it as the RenderPart's widget, causing what was previously 
++    // in the widget to be torn down.
++    return requestFrame(element, completedURL, frameName);
+ }
+ 
+ bool FrameLoader::shouldUsePlugin(const KURL& url, const String& mimeType, bool hasFallback, bool& useFallback)
diff --git a/qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch b/qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch
new file mode 100644
index 0000000..495759d
--- /dev/null
+++ b/qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch
@@ -0,0 +1,782 @@
+diff -U0 qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/ChangeLog	2010-05-03 15:55:37.703101680 +0200
+@@ -0,0 +1,90 @@
++2010-01-20  Adam Barth  <abarth@webkit.org>
++
++        Reviewed by Darin Adler.
++
++        Stylesheet href property shows redirected URL unlike other browsers
++        https://bugs.webkit.org/show_bug.cgi?id=33683
++
++        Teach StyleSheet the difference between original and final URLs in
++        redirect chains.  Unfortunately, StyleSheet needs to know both of these
++        URLs.  The original URL is needed for the href property and the final
++        URL is needed as the baseURL.
++
++        This change required touching a lot of lines of code because we need to
++        plumb this information to the StyleSheet object.  I audited all
++        existing clients of href() and setHref() to see whether they wanted the
++        original or final URLs.  I then updated the clients (except the JS
++        bindings themselves) to use the correct accessor.
++
++        Test: http/tests/security/stylesheet-href-redirect.html
++
++        * css/CSSImportRule.cpp:
++        (WebCore::CSSImportRule::setCSSStyleSheet):
++        (WebCore::CSSImportRule::insertedIntoParent):
++        * css/CSSImportRule.h:
++        * css/CSSStyleSheet.cpp:
++        (WebCore::CSSStyleSheet::CSSStyleSheet):
++        * css/CSSStyleSheet.h:
++        (WebCore::CSSStyleSheet::create): 
++        (WebCore::CSSStyleSheet::createInline): Added a new constructor to deal
++        with "inline" style sheets that don't have a distinct original and
++        final URL.
++        * css/StyleBase.cpp:
++        (WebCore::StyleBase::baseURL): This code wants to use the final URL,
++        not the original URL.  Updated it to grab the baseURL directly.
++        * css/StyleSheet.cpp:
++        (WebCore::StyleSheet::StyleSheet):
++        * css/StyleSheet.h:
++        (WebCore::StyleSheet::href):
++        (WebCore::StyleSheet::setBaseURL): This function really just updates
++        the base URL of the style sheet, so I made it more explicit.
++        (WebCore::StyleSheet::putativeBaseURL): We need an accessor for the
++        base URL, but baseURL is already taken.
++        * dom/Document.cpp:
++        (WebCore::Document::updateBaseURL):
++        (WebCore::Document::pageUserSheet):
++        (WebCore::Document::pageGroupUserSheets):
++        (WebCore::Document::elementSheet):
++        (WebCore::Document::mappedElementSheet):
++        * dom/ProcessingInstruction.cpp:
++        (WebCore::ProcessingInstruction::checkStyleSheet):
++        (WebCore::ProcessingInstruction::setCSSStyleSheet):
++        (WebCore::ProcessingInstruction::setXSLStyleSheet):
++        * dom/ProcessingInstruction.h:
++        * dom/StyleElement.cpp:
++        (WebCore::StyleElement::createSheet):
++        * html/HTMLLinkElement.cpp:
++        (WebCore::HTMLLinkElement::setCSSStyleSheet):
++        * html/HTMLLinkElement.h:
++        * loader/CachedCSSStyleSheet.cpp:
++        (WebCore::CachedCSSStyleSheet::didAddClient):
++        (WebCore::CachedCSSStyleSheet::checkNotify): This code now passes both
++        the original and final URL into setCSSStyleSheet so that the style
++        sheet can have both.
++        * loader/CachedResourceClient.h:
++        (WebCore::CachedResourceClient::setCSSStyleSheet):
++        (WebCore::CachedResourceClient::setXSLStyleSheet):
++        * loader/CachedXSLStyleSheet.cpp:
++        (WebCore::CachedXSLStyleSheet::didAddClient):
++        (WebCore::CachedXSLStyleSheet::checkNotify): I don't have any direct
++        evidence that we need to change the XSLStyleSheet behavior, which is
++        why I wasn't able to add a test for the behavior.  However, the objects
++        are parallel enough that it seemed like the right thing to do.
++        * xml/XSLImportRule.cpp:
++        (WebCore::XSLImportRule::setXSLStyleSheet):
++        (WebCore::XSLImportRule::loadSheet):
++        * xml/XSLImportRule.h:
++        * xml/XSLStyleSheet.h:
++        (WebCore::XSLStyleSheet::create):
++        (WebCore::XSLStyleSheet::createEmbedded):
++        * xml/XSLStyleSheetLibxslt.cpp:
++        (WebCore::XSLStyleSheet::XSLStyleSheet):
++        (WebCore::XSLStyleSheet::parseString):
++        (WebCore::XSLStyleSheet::loadChildSheets):
++        * xml/XSLStyleSheetQt.cpp:
++        (WebCore::XSLStyleSheet::XSLStyleSheet):
++        * xml/XSLTProcessorLibxslt.cpp:
++        (WebCore::xsltStylesheetPointer):
++        * xml/XSLTProcessorQt.cpp:
++        (WebCore::XSLTProcessor::transformToString):
++
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp.cve-2010-0648-stylesheet-redir-leak	2010-05-03 15:55:37.652102626 +0200
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.cpp	2010-05-03 16:49:14.631038884 +0200
+@@ -55,11 +55,11 @@ CSSImportRule::~CSSImportRule()
+         m_cachedSheet->removeClient(this);
+ }
+ 
+-void CSSImportRule::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
++void CSSImportRule::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
+ {
+     if (m_styleSheet)
+         m_styleSheet->setParent(0);
+-    m_styleSheet = CSSStyleSheet::create(this, url, charset);
++    m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset);
+ 
+     bool crossOriginCSS = false;
+     bool validMIMEType = false;
+@@ -70,17 +70,17 @@ void CSSImportRule::setCSSStyleSheet(con
+     String sheetText = sheet->sheetText(enforceMIMEType, &validMIMEType);
+     m_styleSheet->parseString(sheetText, strict);
+ 
+-    if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
++    if (!parent || !parent->doc() || !parent->doc()->securityOrigin()->canRequest(baseURL))
+         crossOriginCSS = true;
+ 
+     if (crossOriginCSS && !validMIMEType && !m_styleSheet->hasSyntacticallyValidCSSHeader())
+-        m_styleSheet = CSSStyleSheet::create(this, url, charset);
++        m_styleSheet = CSSStyleSheet::create(this, href, baseURL, charset);
+ 
+     if (strict && parent && parent->doc() && parent->doc()->settings() && parent->doc()->settings()->needsSiteSpecificQuirks()) {
+         // Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
+         DEFINE_STATIC_LOCAL(const String, slashKHTMLFixesDotCss, ("/KHTMLFixes.css"));
+         DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n"));
+-        if (url.endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) {
++        if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && sheetText == mediaWikiKHTMLFixesStyleSheet) {
+             ASSERT(m_styleSheet->length() == 1);
+             ExceptionCode ec;
+             m_styleSheet->deleteRule(0, ec);
+@@ -109,15 +109,16 @@ void CSSImportRule::insertedIntoParent()
+         return;
+ 
+     String absHref = m_strHref;
+-    if (!parentSheet->href().isNull())
++    if (!parentSheet->putativeBaseURL().isNull())
+         // use parent styleheet's URL as the base URL
+-        absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string();
++        absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string();
+ 
+     // Check for a cycle in our import chain.  If we encounter a stylesheet
+     // in our parent chain with the same URL, then just bail.
+     StyleBase* root = this;
+     for (StyleBase* curr = parent(); curr; curr = curr->parent()) {
+-        if (curr->isCSSStyleSheet() && absHref == static_cast<CSSStyleSheet*>(curr)->href())
++        // FIXME: This is wrong if the putativeBaseURL was updated via document::updateBaseURL. 
++        if (curr->isCSSStyleSheet() && absHref == static_cast<CSSStyleSheet*>(curr)->putativeBaseURL().string())
+             return;
+         root = curr;
+     }
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSImportRule.h	2010-05-03 15:55:37.740976769 +0200
+@@ -63,7 +63,7 @@ private:
+     virtual unsigned short type() const { return IMPORT_RULE; }
+ 
+     // from CachedResourceClient
+-    virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*);
++    virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*);
+ 
+     String m_strHref;
+     RefPtr<MediaList> m_lstMedia;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak	2010-05-03 15:55:37.660977242 +0200
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.cpp	2010-05-03 15:55:37.740976769 +0200
+@@ -33,8 +33,8 @@
+ 
+ namespace WebCore {
+ 
+-CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset)
+-    : StyleSheet(parentSheet, href)
++CSSStyleSheet::CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset)
++    : StyleSheet(parentSheet, href, baseURL)
+     , m_doc(parentSheet ? parentSheet->doc() : 0)
+     , m_namespaces(0)
+     , m_charset(charset)
+@@ -45,8 +45,8 @@ CSSStyleSheet::CSSStyleSheet(CSSStyleShe
+ {
+ }
+ 
+-CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const String& charset)
+-    : StyleSheet(parentNode, href)
++CSSStyleSheet::CSSStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, const String& charset)
++    : StyleSheet(parentNode, href, baseURL)
+     , m_doc(parentNode->document())
+     , m_namespaces(0)
+     , m_charset(charset)
+@@ -57,8 +57,8 @@ CSSStyleSheet::CSSStyleSheet(Node* paren
+ {
+ }
+ 
+-CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset)
+-    : StyleSheet(ownerRule, href)
++CSSStyleSheet::CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset)
++    : StyleSheet(ownerRule, href, baseURL)
+     , m_namespaces(0)
+     , m_charset(charset)
+     , m_loadCompleted(false)
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h.cve-2010-0648-stylesheet-redir-leak	2010-05-03 15:55:37.660977242 +0200
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/CSSStyleSheet.h	2010-05-03 15:55:37.745101706 +0200
+@@ -38,27 +38,31 @@ class CSSStyleSheet : public StyleSheet 
+ public:
+     static PassRefPtr<CSSStyleSheet> create()
+     {
+-        return adoptRef(new CSSStyleSheet(static_cast<CSSStyleSheet*>(0), String(), String()));
++        return adoptRef(new CSSStyleSheet(static_cast<CSSStyleSheet*>(0), String(), KURL(), String()));
+     }
+     static PassRefPtr<CSSStyleSheet> create(Node* ownerNode)
+     {
+-        return adoptRef(new CSSStyleSheet(ownerNode, String(), String()));
++        return adoptRef(new CSSStyleSheet(ownerNode, String(), KURL(), String()));
+     }
+-    static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href)
++    static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const KURL& baseURL)
+     {
+-        return adoptRef(new CSSStyleSheet(ownerNode, href, String()));
++        return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, String()));
+     }
+-    static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const String& charset)
++    static PassRefPtr<CSSStyleSheet> create(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset)
+     {
+-        return adoptRef(new CSSStyleSheet(ownerNode, href, charset));
++        return adoptRef(new CSSStyleSheet(ownerNode, href, baseURL, charset));
+     }
+-    static PassRefPtr<CSSStyleSheet> create(CSSRule* ownerRule, const String& href, const String& charset)
++    static PassRefPtr<CSSStyleSheet> create(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset)
+     {
+-        return adoptRef(new CSSStyleSheet(ownerRule, href, charset));
++        return adoptRef(new CSSStyleSheet(ownerRule, href, baseURL, charset));
++    }
++    static PassRefPtr<CSSStyleSheet> createInline(Node* ownerNode, const KURL& baseURL)
++    {
++        return adoptRef(new CSSStyleSheet(ownerNode, baseURL.string(), baseURL, String()));
+     }
+ 
+     virtual ~CSSStyleSheet();
+-    
++
+     CSSRule* ownerRule() const;
+     PassRefPtr<CSSRuleList> cssRules(bool omitCharsetRules = false);
+     unsigned insertRule(const String& rule, unsigned index, ExceptionCode&);
+@@ -72,7 +76,7 @@ public:
+ 
+     void addNamespace(CSSParser*, const AtomicString& prefix, const AtomicString& uri);
+     const AtomicString& determineNamespace(const AtomicString& prefix);
+-    
++
+     virtual void styleSheetChanged();
+ 
+     virtual bool parseString(const String&, bool strict = true);
+@@ -99,10 +103,10 @@ public:
+     bool hasSyntacticallyValidCSSHeader() const { return m_hasSyntacticallyValidCSSHeader; }
+ 
+ private:
+-    CSSStyleSheet(Node* ownerNode, const String& href, const String& charset);
+-    CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const String& charset);
+-    CSSStyleSheet(CSSRule* ownerRule, const String& href, const String& charset);
+-    
++    CSSStyleSheet(Node* ownerNode, const String& href, const KURL& baseURL, const String& charset);
++    CSSStyleSheet(CSSStyleSheet* parentSheet, const String& href, const KURL& baseURL, const String& charset);
++    CSSStyleSheet(CSSRule* ownerRule, const String& href, const KURL& baseURL, const String& charset);
++
+     virtual bool isCSSStyleSheet() const { return true; }
+     virtual String type() const { return "text/css"; }
+ 
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:20.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleBase.cpp	2010-05-03 15:55:37.757976382 +0200
+@@ -56,9 +56,9 @@ KURL StyleBase::baseURL() const
+     StyleSheet* sheet = const_cast<StyleBase*>(this)->stylesheet();
+     if (!sheet)
+         return KURL();
+-    if (!sheet->href().isNull())
+-        return KURL(ParsedURLString, sheet->href());
+-    if (sheet->parent()) 
++    if (!sheet->putativeBaseURL().isNull())
++        return sheet->putativeBaseURL();
++    if (sheet->parent())
+         return sheet->parent()->baseURL();
+     if (!sheet->ownerNode()) 
+         return KURL();
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.cpp	2010-05-03 15:55:37.758976847 +0200
+@@ -26,27 +26,30 @@
+ 
+ namespace WebCore {
+ 
+-StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href)
++StyleSheet::StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL)
+     : StyleList(parentSheet)
+     , m_parentNode(0)
+-    , m_strHref(href)
++    , m_href(href)
++    , m_baseURL(baseURL)
+     , m_disabled(false)
+ {
+ }
+ 
+ 
+-StyleSheet::StyleSheet(Node* parentNode, const String& href)
++StyleSheet::StyleSheet(Node* parentNode, const String& href, const KURL& baseURL)
+     : StyleList(0)
+     , m_parentNode(parentNode)
+-    , m_strHref(href)
++    , m_href(href)
++    , m_baseURL(baseURL)
+     , m_disabled(false)
+ {
+ }
+ 
+-StyleSheet::StyleSheet(StyleBase* owner, const String& href)
++StyleSheet::StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL)
+     : StyleList(owner)
+     , m_parentNode(0)
+-    , m_strHref(href)
++    , m_href(href)
++    , m_baseURL(baseURL)
+     , m_disabled(false)
+ {
+ }
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/css/StyleSheet.h	2010-05-03 15:55:37.758976847 +0200
+@@ -41,8 +41,18 @@ public:
+ 
+     Node* ownerNode() const { return m_parentNode; }
+     StyleSheet *parentStyleSheet() const;
+-    const String& href() const { return m_strHref; }
+-    void setHref(const String& href) { m_strHref = href; }
++
++    // Note that href is the URL that started the redirect chain that led to
++    // this style sheet. This property probably isn't useful for much except
++    // the JavaScript binding (which needs to use this value for security).
++    const String& href() const { return m_href; }
++
++    void setBaseURL(const KURL& baseURL) { m_baseURL = baseURL; }
++
++    // Notice that this object inherits a baseURL function from StyleBase that
++    // crawls the parent() relation looking for a non-0 putativeBaseURL.
++    const KURL& putativeBaseURL() const { return m_baseURL; }
++
+     const String& title() const { return m_strTitle; }
+     void setTitle(const String& s) { m_strTitle = s; }
+     MediaList* media() const { return m_media.get(); }
+@@ -58,15 +68,16 @@ public:
+     virtual bool parseString(const String&, bool strict = true) = 0;
+ 
+ protected:
+-    StyleSheet(Node* ownerNode, const String& href);
+-    StyleSheet(StyleSheet* parentSheet, const String& href);
+-    StyleSheet(StyleBase* owner, const String& href);
++    StyleSheet(Node* ownerNode, const String& href, const KURL& baseURL);
++    StyleSheet(StyleSheet* parentSheet, const String& href, const KURL& baseURL);
++    StyleSheet(StyleBase* owner, const String& href, const KURL& baseURL);
+ 
+ private:
+     virtual bool isStyleSheet() const { return true; }
+ 
+     Node* m_parentNode;
+-    String m_strHref;
++    String m_href;
++    KURL m_baseURL;
+     String m_strTitle;
+     RefPtr<MediaList> m_media;
+     bool m_disabled;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/Document.cpp	2010-05-03 15:55:37.760977901 +0200
+@@ -1920,9 +1920,9 @@ void Document::updateBaseURL()
+         m_baseURL = KURL();
+ 
+     if (m_elemSheet)
+-        m_elemSheet->setHref(m_baseURL.string());
++        m_elemSheet->setBaseURL(m_baseURL);
+     if (m_mappedElementSheet)
+-        m_mappedElementSheet->setHref(m_baseURL.string());
++        m_mappedElementSheet->setBaseURL(m_baseURL);
+ }
+ 
+ String Document::userAgent(const KURL& url) const
+@@ -1944,7 +1944,7 @@ CSSStyleSheet* Document::pageUserSheet()
+         return 0;
+     
+     // Parse the sheet and cache it.
+-    m_pageUserSheet = CSSStyleSheet::create(this, settings()->userStyleSheetLocation());
++    m_pageUserSheet = CSSStyleSheet::createInline(this, settings()->userStyleSheetLocation());
+     m_pageUserSheet->setIsUserStyleSheet(true);
+     m_pageUserSheet->parseString(userSheetText, !inCompatMode());
+     return m_pageUserSheet.get();
+@@ -1979,7 +1979,7 @@ const Vector<RefPtr<CSSStyleSheet> >* Do
+             const UserStyleSheet* sheet = sheets->at(i).get();
+             if (!UserContentURLPattern::matchesPatterns(url(), sheet->whitelist(), sheet->blacklist()))
+                 continue;
+-            RefPtr<CSSStyleSheet> parsedSheet = CSSStyleSheet::create(const_cast<Document*>(this), sheet->url());
++            RefPtr<CSSStyleSheet> parsedSheet = CSSStyleSheet::createInline(const_cast<Document*>(this), sheet->url());
+             parsedSheet->setIsUserStyleSheet(true);
+             parsedSheet->parseString(sheet->source(), !inCompatMode());
+             if (!m_pageGroupUserSheets)
+@@ -2001,14 +2001,14 @@ void Document::clearPageGroupUserSheets(
+ CSSStyleSheet* Document::elementSheet()
+ {
+     if (!m_elemSheet)
+-        m_elemSheet = CSSStyleSheet::create(this, m_baseURL.string());
++        m_elemSheet = CSSStyleSheet::createInline(this, m_baseURL);
+     return m_elemSheet.get();
+ }
+ 
+ CSSStyleSheet* Document::mappedElementSheet()
+ {
+     if (!m_mappedElementSheet)
+-        m_mappedElementSheet = CSSStyleSheet::create(this, m_baseURL.string());
++        m_mappedElementSheet = CSSStyleSheet::createInline(this, m_baseURL);
+     return m_mappedElementSheet.get();
+ }
+ 
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp.cve-2010-0648-stylesheet-redir-leak	2010-05-03 15:55:37.661976647 +0200
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.cpp	2010-05-03 15:55:37.761977599 +0200
+@@ -138,7 +138,8 @@ void ProcessingInstruction::checkStyleSh
+             // We need to make a synthetic XSLStyleSheet that is embedded.  It needs to be able
+             // to kick off import/include loads that can hang off some parent sheet.
+             if (m_isXSL) {
+-                m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref);
++                KURL baseURL = KURL(ParsedURLString, m_localHref);
++                m_sheet = XSLStyleSheet::createEmbedded(this, m_localHref, baseURL);
+                 m_loading = false;
+             }
+ #endif
+@@ -196,12 +197,12 @@ bool ProcessingInstruction::sheetLoaded(
+     return false;
+ }
+ 
+-void ProcessingInstruction::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
++void ProcessingInstruction::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
+ {
+ #if ENABLE(XSLT)
+     ASSERT(!m_isXSL);
+ #endif
+-    RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, url, charset);
++    RefPtr<CSSStyleSheet> newSheet = CSSStyleSheet::create(this, href, baseURL, charset);
+     m_sheet = newSheet;
+     // We don't need the cross-origin security check here because we are
+     // getting the sheet text in "strict" mode. This enforces a valid CSS MIME
+@@ -213,10 +214,10 @@ void ProcessingInstruction::setCSSStyleS
+ }
+ 
+ #if ENABLE(XSLT)
+-void ProcessingInstruction::setXSLStyleSheet(const String& url, const String& sheet)
++void ProcessingInstruction::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet)
+ {
+     ASSERT(m_isXSL);
+-    m_sheet = XSLStyleSheet::create(this, url);
++    m_sheet = XSLStyleSheet::create(this, href, baseURL);
+     parseStyleSheet(sheet);
+ }
+ #endif
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/ProcessingInstruction.h	2010-05-03 15:55:37.761977599 +0200
+@@ -68,9 +68,9 @@ private:
+     virtual void removedFromDocument();
+ 
+     void checkStyleSheet();
+-    virtual void setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet*);
++    virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet*);
+ #if ENABLE(XSLT)
+-    virtual void setXSLStyleSheet(const String& url, const String& sheet);
++    virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet);
+ #endif
+ 
+     bool isLoading() const;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/dom/StyleElement.cpp	2010-05-03 15:55:37.762976937 +0200
+@@ -103,7 +103,7 @@ void StyleElement::createSheet(Element* 
+         if (screenEval.eval(mediaList.get()) || printEval.eval(mediaList.get())) {
+             document->addPendingSheet();
+             setLoading(true);
+-            m_sheet = CSSStyleSheet::create(e, String(), document->inputEncoding());
++            m_sheet = CSSStyleSheet::create(e, String(), KURL(), document->inputEncoding());
+             m_sheet->parseString(text, !document->inCompatMode());
+             m_sheet->setMedia(mediaList.get());
+             m_sheet->setTitle(e->title());
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp.cve-2010-0648-stylesheet-redir-leak	2010-05-03 15:55:37.661976647 +0200
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.cpp	2010-05-03 17:02:45.528101154 +0200
+@@ -253,9 +253,9 @@ void HTMLLinkElement::finishParsingChild
+     HTMLElement::finishParsingChildren();
+ }
+ 
+-void HTMLLinkElement::setCSSStyleSheet(const String& url, const String& charset, const CachedCSSStyleSheet* sheet)
++void HTMLLinkElement::setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet)
+ {
+-    m_sheet = CSSStyleSheet::create(this, url, charset);
++    m_sheet = CSSStyleSheet::create(this, href, baseURL, charset);
+ 
+     bool strictParsing = !document()->inCompatMode();
+     bool enforceMIMEType = strictParsing;
+@@ -275,11 +275,11 @@ void HTMLLinkElement::setCSSStyleSheet(c
+     // valid CSS rule.
+     // This prevents an attacker playing games by injecting CSS strings into
+     // HTML, XML, JSON, etc. etc.
+-    if (!document()->securityOrigin()->canRequest(KURL(ParsedURLString, url)))
++    if (!document()->securityOrigin()->canRequest(baseURL))
+         crossOriginCSS = true;
+ 
+     if (crossOriginCSS && !validMIMEType && !m_sheet->hasSyntacticallyValidCSSHeader())
+-        m_sheet = CSSStyleSheet::create(this, url, charset);
++        m_sheet = CSSStyleSheet::create(this, href, baseURL, charset);
+ 
+     if (strictParsing && document()->settings() && document()->settings()->needsSiteSpecificQuirks()) {
+         // Work around <https://bugs.webkit.org/show_bug.cgi?id=28350>.
+@@ -287,7 +287,7 @@ void HTMLLinkElement::setCSSStyleSheet(c
+         DEFINE_STATIC_LOCAL(const String, mediaWikiKHTMLFixesStyleSheet, ("/* KHTML fix stylesheet */\n/* work around the horizontal scrollbars */\n#column-content { margin-left: 0; }\n\n"));
+         // There are two variants of KHTMLFixes.css. One is equal to mediaWikiKHTMLFixesStyleSheet,
+         // while the other lacks the second trailing newline.
+-        if (url.endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText)
++        if (baseURL.string().endsWith(slashKHTMLFixesDotCss) && !sheetText.isNull() && mediaWikiKHTMLFixesStyleSheet.startsWith(sheetText)
+                 && sheetText.length() >= mediaWikiKHTMLFixesStyleSheet.length() - 1) {
+             ASSERT(m_sheet->length() == 1);
+             ExceptionCode ec;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/html/HTMLLinkElement.h	2010-05-03 15:55:37.773083096 +0200
+@@ -79,7 +79,7 @@ public:
+     virtual void removedFromDocument();
+ 
+     // from CachedResourceClient
+-    virtual void setCSSStyleSheet(const String &url, const String& charset, const CachedCSSStyleSheet* sheet);
++    virtual void setCSSStyleSheet(const String& href, const KURL& baseURL, const String& charset, const CachedCSSStyleSheet* sheet);
+     bool isLoading() const;
+     virtual bool sheetLoaded();
+ 
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak	2010-05-03 15:55:37.661976647 +0200
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedCSSStyleSheet.cpp	2010-05-03 15:55:37.774976529 +0200
+@@ -52,9 +52,9 @@ CachedCSSStyleSheet::~CachedCSSStyleShee
+ void CachedCSSStyleSheet::didAddClient(CachedResourceClient *c)
+ {
+     if (!m_loading)
+-        c->setCSSStyleSheet(m_url, m_decoder->encoding().name(), this);
++        c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this);
+ }
+-    
++
+ void CachedCSSStyleSheet::allClientsRemoved()
+ {
+     if (isSafeToMakePurgeable())
+@@ -112,7 +112,7 @@ void CachedCSSStyleSheet::checkNotify()
+ 
+     CachedResourceClientWalker w(m_clients);
+     while (CachedResourceClient *c = w.next())
+-        c->setCSSStyleSheet(m_response.url().string(), m_decoder->encoding().name(), this);
++        c->setCSSStyleSheet(m_url, m_response.url(), m_decoder->encoding().name(), this);
+ }
+ 
+ void CachedCSSStyleSheet::error()
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedResourceClient.h	2010-05-03 15:55:37.775976911 +0200
+@@ -42,6 +42,7 @@ namespace WebCore {
+     class String;
+     class Image;
+     class IntRect;
++    class KURL;
+ 
+     /**
+      * @internal
+@@ -65,8 +66,8 @@ namespace WebCore {
+         // e.g., in the b/f cache or in a background tab).
+         virtual bool willRenderImage(CachedImage*) { return false; }
+ 
+-        virtual void setCSSStyleSheet(const String& /*URL*/, const String& /*charset*/, const CachedCSSStyleSheet*) { }
+-        virtual void setXSLStyleSheet(const String& /*URL*/, const String& /*sheet*/) { }
++        virtual void setCSSStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* charset */, const CachedCSSStyleSheet*) { }
++        virtual void setXSLStyleSheet(const String& /* href */, const KURL& /* baseURL */, const String& /* sheet */) { }
+ 
+         virtual void fontLoaded(CachedFont*) {};
+ 
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:19.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/loader/CachedXSLStyleSheet.cpp	2010-05-03 15:55:37.789038977 +0200
+@@ -48,7 +48,7 @@ CachedXSLStyleSheet::CachedXSLStyleSheet
+ void CachedXSLStyleSheet::didAddClient(CachedResourceClient* c)
+ {  
+     if (!m_loading)
+-        c->setXSLStyleSheet(m_url, m_sheet);
++        c->setXSLStyleSheet(m_url, m_response.url(), m_sheet);
+ }
+ 
+ void CachedXSLStyleSheet::setEncoding(const String& chs)
+@@ -83,10 +83,9 @@ void CachedXSLStyleSheet::checkNotify()
+     
+     CachedResourceClientWalker w(m_clients);
+     while (CachedResourceClient *c = w.next())
+-        c->setXSLStyleSheet(m_url, m_sheet);
++        c->setXSLStyleSheet(m_url, m_response.url(), m_sheet);
+ }
+ 
+-
+ void CachedXSLStyleSheet::error()
+ {
+     m_loading = false;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.cpp	2010-05-03 15:55:37.789038977 +0200
+@@ -52,13 +52,13 @@ XSLStyleSheet* XSLImportRule::parentStyl
+     return (parent() && parent()->isXSLStyleSheet()) ? static_cast<XSLStyleSheet*>(parent()) : 0;
+ }
+ 
+-void XSLImportRule::setXSLStyleSheet(const String& url, const String& sheet)
++void XSLImportRule::setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet)
+ {
+     if (m_styleSheet)
+         m_styleSheet->setParent(0);
+-    
+-    m_styleSheet = XSLStyleSheet::create(this, url);
+-    
++
++    m_styleSheet = XSLStyleSheet::create(this, href, baseURL);
++
+     XSLStyleSheet* parent = parentStyleSheet();
+     if (parent)
+         m_styleSheet->setParentStyleSheet(parent);
+@@ -87,14 +87,14 @@ void XSLImportRule::loadSheet()
+     
+     String absHref = m_strHref;
+     XSLStyleSheet* parentSheet = parentStyleSheet();
+-    if (!parentSheet->href().isNull())
++    if (!parentSheet->putativeBaseURL().isNull())
+         // use parent styleheet's URL as the base URL
+-        absHref = KURL(KURL(ParsedURLString, parentSheet->href()), m_strHref).string();
++        absHref = KURL(parentSheet->putativeBaseURL(), m_strHref).string();
+     
+     // Check for a cycle in our import chain.  If we encounter a stylesheet
+     // in our parent chain with the same URL, then just bail.
+     for (parent = this->parent(); parent; parent = parent->parent()) {
+-        if (parent->isXSLStyleSheet() && absHref == static_cast<XSLStyleSheet*>(parent)->href())
++        if (parent->isXSLStyleSheet() && absHref == static_cast<XSLStyleSheet*>(parent)->putativeBaseURL().string())
+             return;
+     }
+     
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLImportRule.h	2010-05-03 15:55:37.789981560 +0200
+@@ -57,7 +57,7 @@ private:
+     virtual bool isImportRule() { return true; }
+ 
+     // from CachedResourceClient
+-    virtual void setXSLStyleSheet(const String& url, const String& sheet);
++    virtual void setXSLStyleSheet(const String& href, const KURL& baseURL, const String& sheet);
+     
+     String m_strHref;
+     RefPtr<XSLStyleSheet> m_styleSheet;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheet.h	2010-05-03 15:55:37.827976887 +0200
+@@ -43,18 +43,18 @@ class XSLImportRule;
+ class XSLStyleSheet : public StyleSheet {
+ public:
+ #if !USE(QXMLQUERY)
+-    static PassRefPtr<XSLStyleSheet> create(XSLImportRule* parentImport, const String& href)
++    static PassRefPtr<XSLStyleSheet> create(XSLImportRule* parentImport, const String& href, const KURL& baseURL)
+     {
+-        return adoptRef(new XSLStyleSheet(parentImport, href));
++        return adoptRef(new XSLStyleSheet(parentImport, href, baseURL));
+     }
+ #endif
+-    static PassRefPtr<XSLStyleSheet> create(Node* parentNode, const String& href)
++    static PassRefPtr<XSLStyleSheet> create(Node* parentNode, const String& href, const KURL& baseURL)
+     {
+-        return adoptRef(new XSLStyleSheet(parentNode, href, false));
++        return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, false));
+     }
+-    static PassRefPtr<XSLStyleSheet> createEmbedded(Node* parentNode, const String& href)
++    static PassRefPtr<XSLStyleSheet> createEmbedded(Node* parentNode, const String& href, const KURL& baseURL)
+     {
+-        return adoptRef(new XSLStyleSheet(parentNode, href, true));
++        return adoptRef(new XSLStyleSheet(parentNode, href, baseURL, true));
+     }
+ 
+     virtual ~XSLStyleSheet();
+@@ -90,9 +90,9 @@ public:
+     bool processed() const { return m_processed; }
+ 
+ private:
+-    XSLStyleSheet(Node* parentNode, const String& href, bool embedded);
++    XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL, bool embedded);
+ #if !USE(QXMLQUERY)
+-    XSLStyleSheet(XSLImportRule* parentImport, const String& href);
++    XSLStyleSheet(XSLImportRule* parentImport, const String& href, const KURL& baseURL);
+ #endif
+ 
+     Document* m_ownerDocument;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetLibxslt.cpp	2010-05-03 15:55:37.837079694 +0200
+@@ -55,8 +55,8 @@ SOFT_LINK(libxslt, xsltLoadStylesheetPI,
+ 
+ namespace WebCore {
+ 
+-XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href)
+-    : StyleSheet(parentRule, href)
++XSLStyleSheet::XSLStyleSheet(XSLImportRule* parentRule, const String& href, const KURL& baseURL)
++    : StyleSheet(parentRule, href, baseURL)
+     , m_ownerDocument(0)
+     , m_embedded(false)
+     , m_processed(false) // Child sheets get marked as processed when the libxslt engine has finally seen them.
+@@ -66,8 +66,8 @@ XSLStyleSheet::XSLStyleSheet(XSLImportRu
+ {
+ }
+ 
+-XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href,  bool embedded)
+-    : StyleSheet(parentNode, href)
++XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL,  bool embedded)
++    : StyleSheet(parentNode, href, baseURL)
+     , m_ownerDocument(parentNode->document())
+     , m_embedded(embedded)
+     , m_processed(true) // The root sheet starts off processed.
+@@ -168,7 +168,7 @@ bool XSLStyleSheet::parseString(const St
+     }
+ 
+     m_stylesheetDoc = xmlCtxtReadMemory(ctxt, buffer, size,
+-        href().utf8().data(),
++        putativeBaseURL().string().utf8().data(),
+         BOMHighByte == 0xFF ? "UTF-16LE" : "UTF-16BE",
+         XML_PARSE_NOENT | XML_PARSE_DTDATTR | XML_PARSE_NOWARNING | XML_PARSE_NOCDATA);
+     xmlFreeParserCtxt(ctxt);
+@@ -192,7 +192,7 @@ void XSLStyleSheet::loadChildSheets()
+     if (m_embedded) {
+         // We have to locate (by ID) the appropriate embedded stylesheet element, so that we can walk the
+         // import/include list.
+-        xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(href().utf8().data()));
++        xmlAttrPtr idNode = xmlGetID(document(), (const xmlChar*)(putativeBaseURL().string().utf8().data()));
+         if (!idNode)
+             return;
+         stylesheetRoot = idNode->parent;
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLStyleSheetQt.cpp	2010-05-03 15:55:37.837977083 +0200
+@@ -33,8 +33,8 @@
+ 
+ namespace WebCore {
+ 
+-XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href,  bool embedded)
+-    : StyleSheet(parentNode, href)
++XSLStyleSheet::XSLStyleSheet(Node* parentNode, const String& href, const KURL& baseURL,  bool embedded)
++    : StyleSheet(parentNode, href, baseURL)
+     , m_ownerDocument(parentNode->document())
+     , m_embedded(embedded)
+ {
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorLibxslt.cpp	2010-05-03 15:55:37.837977083 +0200
+@@ -226,7 +226,8 @@ static xsltStylesheetPtr xsltStylesheetP
+ {
+     if (!cachedStylesheet && stylesheetRootNode) {
+         cachedStylesheet = XSLStyleSheet::create(stylesheetRootNode->parent() ? stylesheetRootNode->parent() : stylesheetRootNode,
+-            stylesheetRootNode->document()->url().string());
++            stylesheetRootNode->document()->url().string(),
++            stylesheetRootNode->document()->url()); // FIXME: Should we use baseURL here?
+         cachedStylesheet->parseString(createMarkup(stylesheetRootNode));
+     }
+ 
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp.cve-2010-0648-stylesheet-redir-leak	2010-02-11 16:55:17.000000000 +0100
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/xml/XSLTProcessorQt.cpp	2010-05-03 15:55:37.915979873 +0200
+@@ -120,7 +120,9 @@ bool XSLTProcessor::transformToString(No
+     RefPtr<XSLStyleSheet> stylesheet = m_stylesheet;
+     if (!stylesheet && m_stylesheetRootNode) {
+         Node* node = m_stylesheetRootNode.get();
+-        stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node, node->document()->url().string());
++        stylesheet = XSLStyleSheet::create(node->parent() ? node->parent() : node,
++            node->document()->url().string(),
++            node->document()->url()); // FIXME: Should we use baseURL here?
+         stylesheet->parseString(createMarkup(node));
+     }
+ 
diff --git a/qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch b/qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch
new file mode 100644
index 0000000..b94c380
--- /dev/null
+++ b/qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch
@@ -0,0 +1,25 @@
+diff -up qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp.me qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp
+--- qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp.me	2010-05-06 11:29:24.000000000 +0200
++++ qt-everywhere-opensource-src-4.6.2/src/3rdparty/webkit/WebCore/page/SecurityOrigin.cpp	2010-05-06 11:43:29.000000000 +0200
+@@ -112,7 +112,11 @@ SecurityOrigin::SecurityOrigin(const KUR
+ 
+     // By default, only local SecurityOrigins can load local resources.
+     m_canLoadLocalResources = isLocal();
+-
++    if (m_canLoadLocalResources) { 
++ 	     // Directories should never be readable. 
++ 	     if (!url.hasPath() || url.path().endsWith("/"))
++ 	         m_noAccess = true; 
++    }
+     if (isDefaultPortForProtocol(m_port, m_protocol))
+         m_port = 0;
+ }
+@@ -207,6 +211,8 @@ bool SecurityOrigin::canRequest(const KU
+         return false;
+ 
+     RefPtr<SecurityOrigin> targetOrigin = SecurityOrigin::create(url);
++    if (targetOrigin->m_noAccess)
++        return false;
+ 
+     // We call isSameSchemeHostPort here instead of canAccess because we want
+     // to ignore document.domain effects.
diff --git a/qt.spec b/qt.spec
index d1759ec..7382552 100644
--- a/qt.spec
+++ b/qt.spec
@@ -13,7 +13,7 @@ Summary: Qt toolkit
 Name:    qt
 Epoch:   1
 Version: 4.6.2
-Release: 16%{?dist}
+Release: 17%{?dist}
 
 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@@ -70,6 +70,9 @@ Patch102: qt-x11-opensource-src-4.5.3-cve-2010-0050-crash-misnested-style-tags.p
 Patch103: qt-x11-opensource-src-4.5.3-cve-2010-0052-destroyed-input-cached.patch
 Patch104: qt-everywhere-opensource-src-4.6.2-cve-2010-0051-lax-css-parsing-cross-domain-theft.patch
 Patch105: qt-everywhere-opensource-src-4.6.2-cve-2010-0054-image-element-pointer-name-getter.patch
+Patch106: qt-everywhere-opensource-src-4.6.2-cve-2010-0656.patch
+Patch107: qt-everywhere-opensource-src-4.6.2-cve-2010-0047.patch
+Patch108: qt-everywhere-opensource-src-4.6.2-cve-2010-0648.patch
 
 # kde-qt git patches
 Patch201: 0001-This-patch-uses-object-name-as-a-fallback-for-window.patch
@@ -433,6 +436,9 @@ Qt libraries used for drawing widgets and OpenGL items.
 %patch103 -p1 -b .cve-2010-0052-destroyed-input-cached
 %patch104 -p1 -b .cve-2010-0051-lax-css-parsing-cross-domain-theft
 %patch105 -p1 -b .cve-2010-0054-image-element-pointer-name-getter
+%patch106 -p1 -b .cve-2010-0656
+%patch107 -p1 -b .cve-2010-0047
+%patch108 -p1 -b .cve-2010-0648
 
 # kde-qt branch
 %patch201 -p1 -b .kde-qt-0001
@@ -1042,6 +1048,10 @@ fi
 
 
 %changelog
+* Thu May 06 2010 Than Ngo <than@redhat.com> - 4.6.2-17
+- bz#589169, fix multiple flaws in webkit
+  CVE-2010-0047, CVE-2010-0648, CVE-2010-0656
+
 * Thu Apr 29 2010 Kevin Kofler <Kevin@tigcc.ticalc.org> - 4.6.2-16
 - restore qt-everywhere-opensource-src-4.6.2-cups.patch (#586725)