730982d27a
Fixes CVE-2016-7966
79 lines
2.3 KiB
Diff
79 lines
2.3 KiB
Diff
--- kpimutils/linklocator.cpp
|
|
+++ kpimutils/linklocator.cpp
|
|
@@ -94,6 +94,12 @@
|
|
}
|
|
|
|
QString LinkLocator::getUrl()
|
|
+{
|
|
+ return getUrlAndCheckValidHref();
|
|
+}
|
|
+
|
|
+
|
|
+QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
|
|
{
|
|
QString url;
|
|
if ( atUrl() ) {
|
|
@@ -129,13 +135,26 @@
|
|
|
|
url.reserve( maxUrlLen() ); // avoid allocs
|
|
int start = mPos;
|
|
+ bool previousCharIsADoubleQuote = false;
|
|
while ( ( mPos < (int)mText.length() ) &&
|
|
( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
|
|
( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
|
|
( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
|
|
if ( !mText[mPos].isSpace() ) { // skip whitespace
|
|
- url.append( mText[mPos] );
|
|
- if ( url.length() > maxUrlLen() ) {
|
|
+ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
|
|
+ //it's an invalid url
|
|
+ if (badurl) {
|
|
+ *badurl = true;
|
|
+ }
|
|
+ return QString();
|
|
+ }
|
|
+ if (mText[mPos] == QLatin1Char('"')) {
|
|
+ previousCharIsADoubleQuote = true;
|
|
+ } else {
|
|
+ previousCharIsADoubleQuote = false;
|
|
+ }
|
|
+ url.append( mText[mPos] );
|
|
+ if ( url.length() > maxUrlLen() ) {
|
|
break;
|
|
}
|
|
}
|
|
@@ -367,7 +386,12 @@
|
|
} else {
|
|
const int start = locator.mPos;
|
|
if ( !( flags & IgnoreUrls ) ) {
|
|
- str = locator.getUrl();
|
|
+ bool badUrl = false;
|
|
+ str = locator.getUrlAndCheckValidHref(&badUrl);
|
|
+ if (badUrl) {
|
|
+ return locator.mText;
|
|
+ }
|
|
+
|
|
if ( !str.isEmpty() ) {
|
|
QString hyperlink;
|
|
if ( str.left( 4 ) == QLatin1String("www.") ) {
|
|
|
|
--- kpimutils/linklocator.h
|
|
+++ kpimutils/linklocator.h
|
|
@@ -107,6 +107,7 @@
|
|
@return The URL at the current scan position, or an empty string.
|
|
*/
|
|
QString getUrl();
|
|
+ QString getUrlAndCheckValidHref(bool *badurl = 0);
|
|
|
|
/**
|
|
Attempts to grab an email address. If there is an @ symbol at the
|
|
@@ -155,7 +156,7 @@
|
|
*/
|
|
static QString pngToDataUrl( const QString & iconPath );
|
|
|
|
- protected:
|
|
+protected:
|
|
/**
|
|
The plaintext string being scanned for URLs and email addresses.
|
|
*/
|
|
|