Browse Source

Fix security issue CVE-2017-6410

[taken from RedHat kdelibs patches]

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
pull/1/head
Slávek Banko 1 year ago
parent
commit
a3b86c2690
1 changed files with 10 additions and 2 deletions
  1. 10
    2
      tdeio/misc/kpac/script.cpp

+ 10
- 2
tdeio/misc/kpac/script.cpp View File

@@ -446,10 +446,18 @@ namespace KPAC
446 446
 	if (!findObj.isValid() || !findObj.implementsCall())
447 447
 	  throw Error( "No such function FindProxyForURL" );
448 448
 
449
+        KURL cleanUrl = url;
450
+        cleanUrl.setPass(QString());
451
+        cleanUrl.setUser(QString());
452
+        if (cleanUrl.protocol().lower() == "https") {
453
+            cleanUrl.setPath(QString());
454
+            cleanUrl.setQuery(QString());
455
+        }
456
+
449 457
 	Object thisObj;
450 458
 	List args;
451
-	args.append(String(url.url()));
452
-	args.append(String(url.host()));
459
+	args.append(String(cleanUrl.url()));
460
+	args.append(String(cleanUrl.host()));
453 461
 	Value retval = findObj.call( exec, thisObj, args );
454 462
 
455 463
 	if ( exec->hadException() ) {

Loading…
Cancel
Save