Fix security issue CVE-2017-6410

[taken from RedHat kdelibs patches] Signed-off-by: Slávek Banko <[email protected]> (cherry picked from commit a3b86c26903ade446ac57afc8c3f8a9c1bd66390)
author: Slávek Banko <[email protected]> 2018-07-26 18:44:37 +0200
committer: Slávek Banko <[email protected]> 2018-07-26 18:45:08 +0200
commit: 8f6f381ff9c635a01aa5c4f0f544f58b9b4f306e (patch)
tree: 9348dc0d37b1d23209c827c139dd5bbcb4332189 /tdeio/misc
parent: aae8e8d8c15443e53df1151976360dd701e6dcd4 (diff)
download: tdelibs-8f6f381ff9c635a01aa5c4f0f544f58b9b4f306e.tar.gz
tdelibs-8f6f381ff9c635a01aa5c4f0f544f58b9b4f306e.zip
1 files changed, 10 insertions, 2 deletions
diff --git a/tdeio/misc/kpac/script.cpp b/tdeio/misc/kpac/script.cpp
index 55faef8a1..fa1201382 100644
--- a/tdeio/misc/kpac/script.cpp
+++ b/tdeio/misc/kpac/script.cpp
@@ -446,10 +446,18 @@ namespace KPAC
 	if (!findObj.isValid() || !findObj.implementsCall())
 	  throw Error( "No such function FindProxyForURL" );
 
+        KURL cleanUrl = url;
+        cleanUrl.setPass(QString());
+        cleanUrl.setUser(QString());
+        if (cleanUrl.protocol().lower() == "https") {
+            cleanUrl.setPath(QString());
+            cleanUrl.setQuery(QString());
+        }
+
 	Object thisObj;
 	List args;
-	args.append(String(url.url()));
-	args.append(String(url.host()));
+	args.append(String(cleanUrl.url()));
+	args.append(String(cleanUrl.host()));
 	Value retval = findObj.call( exec, thisObj, args );
 
 	if ( exec->hadException() ) {
author	Slávek Banko <[email protected]>	2018-07-26 18:44:37 +0200
committer	Slávek Banko <[email protected]>	2018-07-26 18:45:08 +0200
commit	8f6f381ff9c635a01aa5c4f0f544f58b9b4f306e (patch)
tree	9348dc0d37b1d23209c827c139dd5bbcb4332189 /tdeio/misc
parent	aae8e8d8c15443e53df1151976360dd701e6dcd4 (diff)
download	tdelibs-8f6f381ff9c635a01aa5c4f0f544f58b9b4f306e.tar.gz tdelibs-8f6f381ff9c635a01aa5c4f0f544f58b9b4f306e.zip