b91d57ba84
patch taken from kdelibs upstream commit 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 fixes an Information Leak when accessing https when using a malicious PAC file. KDE Security advisory: https://www.kde.org/info/security/advisory-20170228-1.txt No CVE assigned yet.
22 lines
618 B
Diff
22 lines
618 B
Diff
--- kio/misc/kpac/script.cpp
|
|
+++ kio/misc/kpac/script.cpp
|
|
@@ -754,9 +754,16 @@ namespace KPAC
|
|
}
|
|
}
|
|
|
|
+ KUrl cleanUrl = url;
|
|
+ cleanUrl.setUserInfo(QString());
|
|
+ if (cleanUrl.scheme().toLower() == QLatin1String("https")) {
|
|
+ cleanUrl.setPath(QString());
|
|
+ cleanUrl.setQuery(QString());
|
|
+ }
|
|
+
|
|
QScriptValueList args;
|
|
- args << url.url();
|
|
- args << url.host();
|
|
+ args << cleanUrl.url();
|
|
+ args << cleanUrl.host();
|
|
|
|
QScriptValue result = func.call(QScriptValue(), args);
|
|
if (result.isError()) {
|
|
|