From a3b86c26903ade446ac57afc8c3f8a9c1bd66390 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= <slavek.banko@axis.cz>
Date: Thu, 26 Jul 2018 18:44:37 +0200
Subject: [PATCH] Fix security issue CVE-2017-6410 [taken from RedHat kdelibs
 patches]
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
---
 tdeio/misc/kpac/script.cpp | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/tdeio/misc/kpac/script.cpp b/tdeio/misc/kpac/script.cpp
index 55faef8a1..fa1201382 100644
--- a/tdeio/misc/kpac/script.cpp
+++ b/tdeio/misc/kpac/script.cpp
@@ -446,10 +446,18 @@ namespace KPAC
 	if (!findObj.isValid() || !findObj.implementsCall())
 	  throw Error( "No such function FindProxyForURL" );
 
+        KURL cleanUrl = url;
+        cleanUrl.setPass(QString());
+        cleanUrl.setUser(QString());
+        if (cleanUrl.protocol().lower() == "https") {
+            cleanUrl.setPath(QString());
+            cleanUrl.setQuery(QString());
+        }
+
 	Object thisObj;
 	List args;
-	args.append(String(url.url()));
-	args.append(String(url.host()));
+	args.append(String(cleanUrl.url()));
+	args.append(String(cleanUrl.host()));
 	Value retval = findObj.call( exec, thisObj, args );
 
 	if ( exec->hadException() ) {