blob: 77703a9d3a0c2e970fbcb44554a5e3ae587f4f0f (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 28 Feb 2017 19:00:48 +0100
Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
Remove user/password information
For https: remove path and query
Thanks to safebreach.com for reporting the problem
CCMAIL: yoni.fridburg@safebreach.com
CCMAIL: amit.klein@safebreach.com
CCMAIL: itzik.kotler@safebreach.com
---
src/kpac/script.cpp | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
index a0235f73..2485c54d 100644
--- src/kpac/script.cpp
+++ src/kpac/script.cpp
@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
}
}
+ QUrl cleanUrl = url;
+ cleanUrl.setUserInfo(QString());
+ if (cleanUrl.scheme() == QLatin1String("https")) {
+ cleanUrl.setPath(QString());
+ cleanUrl.setQuery(QString());
+ }
+
QScriptValueList args;
- args << url.url();
- args << url.host();
+ args << cleanUrl.url();
+ args << cleanUrl.host();
QScriptValue result = func.call(QScriptValue(), args);
if (result.isError()) {
--
2.11.1
|