Index: head/devel/kf5-kio/Makefile =================================================================== --- head/devel/kf5-kio/Makefile +++ head/devel/kf5-kio/Makefile @@ -3,6 +3,7 @@ PORTNAME= kio PORTVERSION= ${KDE_FRAMEWORKS_VERSION} +PORTREVISION= 1 CATEGORIES= devel kde kde-frameworks MAINTAINER= kde@FreeBSD.org Index: head/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410 =================================================================== --- head/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410 +++ head/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410 @@ -0,0 +1,43 @@ +From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 28 Feb 2017 19:00:48 +0100 +Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL + +Remove user/password information +For https: remove path and query + +Thanks to safebreach.com for reporting the problem + +CCMAIL: yoni.fridburg@safebreach.com +CCMAIL: amit.klein@safebreach.com +CCMAIL: itzik.kotler@safebreach.com +--- + src/kpac/script.cpp | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp +index a0235f73..2485c54d 100644 +--- src/kpac/script.cpp ++++ src/kpac/script.cpp +@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url) + } + } + ++ QUrl cleanUrl = url; ++ cleanUrl.setUserInfo(QString()); ++ if (cleanUrl.scheme() == QLatin1String("https")) { ++ cleanUrl.setPath(QString()); ++ cleanUrl.setQuery(QString()); ++ } ++ + QScriptValueList args; +- args << url.url(); +- args << url.host(); ++ args << cleanUrl.url(); ++ args << cleanUrl.host(); + + QScriptValue result = func.call(QScriptValue(), args); + if (result.isError()) { +-- +2.11.1 + Index: head/x11/kdelibs4/Makefile =================================================================== --- head/x11/kdelibs4/Makefile +++ head/x11/kdelibs4/Makefile @@ -3,7 +3,7 @@ PORTNAME= kdelibs PORTVERSION= ${KDE4_KDELIBS_VERSION} -PORTREVISION= 9 +PORTREVISION= 10 CATEGORIES= x11 kde MASTER_SITES= KDE/${KDE4_APPLICATIONS_BRANCH}/applications/${KDE4_APPLICATIONS_VERSION}/src DIST_SUBDIR= KDE/${PORTVERSION} Index: head/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410 =================================================================== --- head/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410 +++ head/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410 @@ -0,0 +1,39 @@ +From 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 28 Feb 2017 19:08:50 +0100 +Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL + +Remove user/password information +For https: remove path and query + +Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 +--- + kio/misc/kpac/script.cpp | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp +index a595301307..9ab360a0b5 100644 +--- kio/misc/kpac/script.cpp ++++ kio/misc/kpac/script.cpp +@@ -754,9 +754,16 @@ namespace KPAC + } + } + ++ KUrl cleanUrl = url; ++ cleanUrl.setUserInfo(QString()); ++ if (cleanUrl.scheme().toLower() == QLatin1String("https")) { ++ cleanUrl.setPath(QString()); ++ cleanUrl.setQuery(QString()); ++ } ++ + QScriptValueList args; +- args << url.url(); +- args << url.host(); ++ args << cleanUrl.url(); ++ args << cleanUrl.host(); + + QScriptValue result = func.call(QScriptValue(), args); + if (result.isError()) { +-- +2.11.1 +