- Add patch to fix security issue with proxy configuration (boo#1027520)
* sanitize-url-for-proxy.patch OBS-URL: https://build.opensuse.org/package/show/KDE:Frameworks5/kio?expand=0&rev=169
This commit is contained in:
parent
419fd195fc
commit
d7d373ffcc
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Mar 1 21:02:49 UTC 2017 - fabian@ritter-vogt.de
|
||||||
|
|
||||||
|
- Add patch to fix security issue with proxy configuration (boo#1027520)
|
||||||
|
* sanitize-url-for-proxy.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Feb 9 09:30:01 UTC 2017 - hrvoje.senjan@gmail.com
|
Thu Feb 9 09:30:01 UTC 2017 - hrvoje.senjan@gmail.com
|
||||||
|
|
||||||
|
5
kio.spec
5
kio.spec
@ -75,6 +75,8 @@ Source: http://download.kde.org/stable/frameworks/%{_tar_path}/%{name}-%
|
|||||||
Source1: baselibs.conf
|
Source1: baselibs.conf
|
||||||
# PATCH-FIX-OPENSUSE kio_help-fallback-to-kde4-docs.patch -- allow kio_help to see into kde4 documentation, needed especially for khelpcenter5
|
# PATCH-FIX-OPENSUSE kio_help-fallback-to-kde4-docs.patch -- allow kio_help to see into kde4 documentation, needed especially for khelpcenter5
|
||||||
Patch0: kio_help-fallback-to-kde4-docs.patch
|
Patch0: kio_help-fallback-to-kde4-docs.patch
|
||||||
|
# PATCH-FIX-UPSTREAM sanitize-url-for-proxy.patch
|
||||||
|
Patch1: sanitize-url-for-proxy.patch
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
BuildRoot: %{_tmppath}/%{name}-%{version}-build
|
||||||
|
|
||||||
%description
|
%description
|
||||||
@ -84,8 +86,8 @@ file dialog also uses this to provide its network-enabled file management.
|
|||||||
|
|
||||||
%package core
|
%package core
|
||||||
Summary: Network transparent access to files and data
|
Summary: Network transparent access to files and data
|
||||||
Group: System/GUI/KDE
|
|
||||||
# core subpackage created with 5.9.0
|
# core subpackage created with 5.9.0
|
||||||
|
Group: System/GUI/KDE
|
||||||
Conflicts: kio <= 5.8.0
|
Conflicts: kio <= 5.8.0
|
||||||
|
|
||||||
%description core
|
%description core
|
||||||
@ -121,6 +123,7 @@ Development files.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
|
%patch1 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%cmake_kf5 -d build
|
%cmake_kf5 -d build
|
||||||
|
40
sanitize-url-for-proxy.patch
Normal file
40
sanitize-url-for-proxy.patch
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Albert Astals Cid <aacid@kde.org>
|
||||||
|
Date: Tue, 28 Feb 2017 19:00:48 +0100
|
||||||
|
Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
|
||||||
|
|
||||||
|
Remove user/password information
|
||||||
|
For https: remove path and query
|
||||||
|
|
||||||
|
Thanks to safebreach.com for reporting the problem
|
||||||
|
|
||||||
|
CCMAIL: yoni.fridburg@safebreach.com
|
||||||
|
CCMAIL: amit.klein@safebreach.com
|
||||||
|
CCMAIL: itzik.kotler@safebreach.com
|
||||||
|
---
|
||||||
|
src/kpac/script.cpp | 11 +++++++++--
|
||||||
|
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
|
||||||
|
index a0235f7..2485c54 100644
|
||||||
|
--- a/src/kpac/script.cpp
|
||||||
|
+++ b/src/kpac/script.cpp
|
||||||
|
@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ QUrl cleanUrl = url;
|
||||||
|
+ cleanUrl.setUserInfo(QString());
|
||||||
|
+ if (cleanUrl.scheme() == QLatin1String("https")) {
|
||||||
|
+ cleanUrl.setPath(QString());
|
||||||
|
+ cleanUrl.setQuery(QString());
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
QScriptValueList args;
|
||||||
|
- args << url.url();
|
||||||
|
- args << url.host();
|
||||||
|
+ args << cleanUrl.url();
|
||||||
|
+ args << cleanUrl.host();
|
||||||
|
|
||||||
|
QScriptValue result = func.call(QScriptValue(), args);
|
||||||
|
if (result.isError()) {
|
Loading…
Reference in New Issue
Block a user