kdelibs: add fix-kio-information-leak.patch (#5859)

patch taken from kdelibs upstream commit 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 fixes an Information Leak when accessing https when using a malicious PAC file. KDE Security advisory: https://www.kde.org/info/security/advisory-20170228-1.txt No CVE assigned yet.
2017-03-02 15:31:49 +01:00 · 2017-03-02 15:31:49 +01:00 · b91d57ba84
commit b91d57ba84
parent fb8861d2da
2 changed files with 23 additions and 1 deletions
--- a/srcpkgs/kdelibs/patches/fix-kio-information-leak.patch
+++ b/srcpkgs/kdelibs/patches/fix-kio-information-leak.patch
@ -0,0 +1,22 @@
+--- kio/misc/kpac/script.cpp
+++ kio/misc/kpac/script.cpp
+@@ -754,9 +754,16 @@ namespace KPAC
+             }
+         }
+ 
+        KUrl cleanUrl = url;
+        cleanUrl.setUserInfo(QString());
+        if (cleanUrl.scheme().toLower() == QLatin1String("https")) {
+            cleanUrl.setPath(QString());
+            cleanUrl.setQuery(QString());
+        }
+
+         QScriptValueList args;
+-        args << url.url();
+-        args << url.host();
+        args << cleanUrl.url();
+        args << cleanUrl.host();
+ 
+         QScriptValue result = func.call(QScriptValue(), args);
+         if (result.isError()) {
+
--- a/srcpkgs/kdelibs/template
+++ b/srcpkgs/kdelibs/template
@ -1,7 +1,7 @@
 # Template file for 'kdelibs'
 pkgname=kdelibs
 version=4.14.3
-revision=7
+revision=8
 short_desc="KDE core libraries"
 maintainer="Juan RP <xtraeme@voidlinux.eu>"
 license="GPL-2.0, LGPL-2.1, FDL"