Page MenuHomeFreeBSD
Files F133211803

D9908.diff
No OneTemporary
Actions

D9908.diff
View Options

Index: head/devel/kf5-kio/Makefile
===================================================================
--- head/devel/kf5-kio/Makefile
+++ head/devel/kf5-kio/Makefile
@@ -3,6 +3,7 @@
PORTNAME= kio
PORTVERSION= ${KDE_FRAMEWORKS_VERSION}
+PORTREVISION= 1
CATEGORIES= devel kde kde-frameworks
MAINTAINER= kde@FreeBSD.org
Index: head/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410
===================================================================
--- head/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410
+++ head/devel/kf5-kio/files/patch-git_f9d0cb4_cve-2017-6410
@@ -0,0 +1,43 @@
+From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:00:48 +0100
+Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Thanks to safebreach.com for reporting the problem
+
+CCMAIL: yoni.fridburg@safebreach.com
+CCMAIL: amit.klein@safebreach.com
+CCMAIL: itzik.kotler@safebreach.com
+---
+ src/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
+index a0235f73..2485c54d 100644
+--- src/kpac/script.cpp
++++ src/kpac/script.cpp
+@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
+ }
+ }
+
++ QUrl cleanUrl = url;
++ cleanUrl.setUserInfo(QString());
++ if (cleanUrl.scheme() == QLatin1String("https")) {
++ cleanUrl.setPath(QString());
++ cleanUrl.setQuery(QString());
++ }
++
+ QScriptValueList args;
+- args << url.url();
+- args << url.host();
++ args << cleanUrl.url();
++ args << cleanUrl.host();
+
+ QScriptValue result = func.call(QScriptValue(), args);
+ if (result.isError()) {
+--
+2.11.1
+
Index: head/x11/kdelibs4/Makefile
===================================================================
--- head/x11/kdelibs4/Makefile
+++ head/x11/kdelibs4/Makefile
@@ -3,7 +3,7 @@
PORTNAME= kdelibs
PORTVERSION= ${KDE4_KDELIBS_VERSION}
-PORTREVISION= 9
+PORTREVISION= 10
CATEGORIES= x11 kde
MASTER_SITES= KDE/${KDE4_APPLICATIONS_BRANCH}/applications/${KDE4_APPLICATIONS_VERSION}/src
DIST_SUBDIR= KDE/${PORTVERSION}
Index: head/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410
===================================================================
--- head/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410
+++ head/x11/kdelibs4/files/patch-git_1804c2f_cve-2017-6410
@@ -0,0 +1,39 @@
+From 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Mon Sep 17 00:00:00 2001
+From: Albert Astals Cid <aacid@kde.org>
+Date: Tue, 28 Feb 2017 19:08:50 +0100
+Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
+
+Remove user/password information
+For https: remove path and query
+
+Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
+---
+ kio/misc/kpac/script.cpp | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp
+index a595301307..9ab360a0b5 100644
+--- kio/misc/kpac/script.cpp
++++ kio/misc/kpac/script.cpp
+@@ -754,9 +754,16 @@ namespace KPAC
+ }
+ }
+
++ KUrl cleanUrl = url;
++ cleanUrl.setUserInfo(QString());
++ if (cleanUrl.scheme().toLower() == QLatin1String("https")) {
++ cleanUrl.setPath(QString());
++ cleanUrl.setQuery(QString());
++ }
++
+ QScriptValueList args;
+- args << url.url();
+- args << url.host();
++ args << cleanUrl.url();
++ args << cleanUrl.host();
+
+ QScriptValue result = func.call(QScriptValue(), args);
+ if (result.isError()) {
+--
+2.11.1
+

File Metadata

Mime Type
text/plain
Expires
Sat, Oct 25, 12:36 AM (3 h, 1 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
24151526
Default Alt Text
D9908.diff (3 KB)

Event Timeline