Fix CVE-2017-6410, "Information Leak when accessing https when using a malicious PAC file": https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410 https://www.kde.org/info/security/advisory-20170228-1.txt Patch copied from upstream source repository: https://cgit.kde.org/kio.git/commit/?id=f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid Date: Tue, 28 Feb 2017 19:00:48 +0100 Subject: Sanitize URLs before passing them to FindProxyForURL Remove user/password information For https: remove path and query Thanks to safebreach.com for reporting the problem CCMAIL: yoni.fridburg@safebreach.com CCMAIL: amit.klein@safebreach.com CCMAIL: itzik.kotler@safebreach.com --- src/kpac/script.cpp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp index a0235f7..2485c54 100644 --- a/src/kpac/script.cpp +++ b/src/kpac/script.cpp @@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url) } } + QUrl cleanUrl = url; + cleanUrl.setUserInfo(QString()); + if (cleanUrl.scheme() == QLatin1String("https")) { + cleanUrl.setPath(QString()); + cleanUrl.setQuery(QString()); + } + QScriptValueList args; - args << url.url(); - args << url.host(); + args << cleanUrl.url(); + args << cleanUrl.host(); QScriptValue result = func.call(QScriptValue(), args); if (result.isError()) { -- cgit v0.11.2