summary refs log tree commit diff
path: root/gnu/packages/patches/kio-CVE-2017-6410.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/kio-CVE-2017-6410.patch')
-rw-r--r--gnu/packages/patches/kio-CVE-2017-6410.patch53
1 files changed, 0 insertions, 53 deletions
diff --git a/gnu/packages/patches/kio-CVE-2017-6410.patch b/gnu/packages/patches/kio-CVE-2017-6410.patch
deleted file mode 100644
index 748636f806..0000000000
--- a/gnu/packages/patches/kio-CVE-2017-6410.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-Fix CVE-2017-6410, "Information Leak when accessing https when using a
-malicious PAC file":
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410
-https://www.kde.org/info/security/advisory-20170228-1.txt
-
-Patch copied from upstream source repository:
-
-https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
-
-From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
-From: Albert Astals Cid <aacid@kde.org>
-Date: Tue, 28 Feb 2017 19:00:48 +0100
-Subject: Sanitize URLs before passing them to FindProxyForURL
-
-Remove user/password information
-For https: remove path and query
-
-Thanks to safebreach.com for reporting the problem
-
-CCMAIL: yoni.fridburg@safebreach.com
-CCMAIL: amit.klein@safebreach.com
-CCMAIL: itzik.kotler@safebreach.com
----
- src/kpac/script.cpp | 11 +++++++++--
- 1 file changed, 9 insertions(+), 2 deletions(-)
-
-diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
-index a0235f7..2485c54 100644
---- a/src/kpac/script.cpp
-+++ b/src/kpac/script.cpp
-@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
-         }
-     }
- 
-+    QUrl cleanUrl = url;
-+    cleanUrl.setUserInfo(QString());
-+    if (cleanUrl.scheme() == QLatin1String("https")) {
-+        cleanUrl.setPath(QString());
-+        cleanUrl.setQuery(QString());
-+    }
-+
-     QScriptValueList args;
--    args << url.url();
--    args << url.host();
-+    args << cleanUrl.url();
-+    args << cleanUrl.host();
- 
-     QScriptValue result = func.call(QScriptValue(), args);
-     if (result.isError()) {
--- 
-cgit v0.11.2
-