void-packages/srcpkgs/kdepimlibs/patches/CVE-2016-7966.patch

80 lines
2.3 KiB
Diff
Raw Normal View History

--- kpimutils/linklocator.cpp
+++ kpimutils/linklocator.cpp
@@ -94,6 +94,12 @@
}
QString LinkLocator::getUrl()
+{
+ return getUrlAndCheckValidHref();
+}
+
+
+QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
{
QString url;
if ( atUrl() ) {
@@ -129,13 +135,26 @@
url.reserve( maxUrlLen() ); // avoid allocs
int start = mPos;
+ bool previousCharIsADoubleQuote = false;
while ( ( mPos < (int)mText.length() ) &&
( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
if ( !mText[mPos].isSpace() ) { // skip whitespace
- url.append( mText[mPos] );
- if ( url.length() > maxUrlLen() ) {
+ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
+ //it's an invalid url
+ if (badurl) {
+ *badurl = true;
+ }
+ return QString();
+ }
+ if (mText[mPos] == QLatin1Char('"')) {
+ previousCharIsADoubleQuote = true;
+ } else {
+ previousCharIsADoubleQuote = false;
+ }
+ url.append( mText[mPos] );
+ if ( url.length() > maxUrlLen() ) {
break;
}
}
@@ -367,7 +386,12 @@
} else {
const int start = locator.mPos;
if ( !( flags & IgnoreUrls ) ) {
- str = locator.getUrl();
+ bool badUrl = false;
+ str = locator.getUrlAndCheckValidHref(&badUrl);
+ if (badUrl) {
+ return locator.mText;
+ }
+
if ( !str.isEmpty() ) {
QString hyperlink;
if ( str.left( 4 ) == QLatin1String("www.") ) {
--- kpimutils/linklocator.h
+++ kpimutils/linklocator.h
@@ -107,6 +107,7 @@
@return The URL at the current scan position, or an empty string.
*/
QString getUrl();
+ QString getUrlAndCheckValidHref(bool *badurl = 0);
/**
Attempts to grab an email address. If there is an @ symbol at the
@@ -155,7 +156,7 @@
*/
static QString pngToDataUrl( const QString & iconPath );
- protected:
+protected:
/**
The plaintext string being scanned for URLs and email addresses.
*/