From 22f2dd61d89ed909fcee1f6687e92dd761f4280f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= Date: Thu, 26 Jul 2018 18:44:37 +0200 Subject: [PATCH] Fix security issue CVE-2017-6410 [taken from RedHat kdelibs patches] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Slávek Banko (cherry picked from commit a3b86c26903ade446ac57afc8c3f8a9c1bd66390) --- kio/misc/kpac/script.cpp | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp index 55faef8a1..fa1201382 100644 --- a/kio/misc/kpac/script.cpp +++ b/kio/misc/kpac/script.cpp @@ -446,10 +446,18 @@ namespace KPAC if (!findObj.isValid() || !findObj.implementsCall()) throw Error( "No such function FindProxyForURL" ); + KURL cleanUrl = url; + cleanUrl.setPass(QString()); + cleanUrl.setUser(QString()); + if (cleanUrl.protocol().lower() == "https") { + cleanUrl.setPath(QString()); + cleanUrl.setQuery(QString()); + } + Object thisObj; List args; - args.append(String(url.url())); - args.append(String(url.host())); + args.append(String(cleanUrl.url())); + args.append(String(cleanUrl.host())); Value retval = findObj.call( exec, thisObj, args ); if ( exec->hadException() ) {