diff options
Diffstat (limited to 'gnu/packages/patches/kio-CVE-2017-6410.patch')
-rw-r--r-- | gnu/packages/patches/kio-CVE-2017-6410.patch | 53 |
1 files changed, 0 insertions, 53 deletions
diff --git a/gnu/packages/patches/kio-CVE-2017-6410.patch b/gnu/packages/patches/kio-CVE-2017-6410.patch deleted file mode 100644 index 748636f806..0000000000 --- a/gnu/packages/patches/kio-CVE-2017-6410.patch +++ /dev/null @@ -1,53 +0,0 @@ -Fix CVE-2017-6410, "Information Leak when accessing https when using a -malicious PAC file": - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410 -https://www.kde.org/info/security/advisory-20170228-1.txt - -Patch copied from upstream source repository: - -https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 - -From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001 -From: Albert Astals Cid <aacid@kde.org> -Date: Tue, 28 Feb 2017 19:00:48 +0100 -Subject: Sanitize URLs before passing them to FindProxyForURL - -Remove user/password information -For https: remove path and query - -Thanks to safebreach.com for reporting the problem - -CCMAIL: yoni.fridburg@safebreach.com -CCMAIL: amit.klein@safebreach.com -CCMAIL: itzik.kotler@safebreach.com ---- - src/kpac/script.cpp | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp -index a0235f7..2485c54 100644 ---- a/src/kpac/script.cpp -+++ b/src/kpac/script.cpp -@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url) - } - } - -+ QUrl cleanUrl = url; -+ cleanUrl.setUserInfo(QString()); -+ if (cleanUrl.scheme() == QLatin1String("https")) { -+ cleanUrl.setPath(QString()); -+ cleanUrl.setQuery(QString()); -+ } -+ - QScriptValueList args; -- args << url.url(); -- args << url.host(); -+ args << cleanUrl.url(); -+ args << cleanUrl.host(); - - QScriptValue result = func.call(QScriptValue(), args); - if (result.isError()) { --- -cgit v0.11.2 - |