head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.4 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.2 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.1.0.4 pkgsrc-2011Q4-base:1.1 pkgsrc-2011Q3:1.1.0.2; locks; strict; comment @// @; 1.2 date 2012.03.19.11.28.50; author markd; state dead; branches; next 1.1; 1.1 date 2011.11.20.02.08.10; author markd; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2011.11.20.02.08.10; author tron; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2011.11.20.13.14.33; author tron; state Exp; branches; next ; desc @@ 1.2 log @Update to KDE SC 4.8.0 @ text @$NetBSD: patch-kioslave_http_http.cpp,v 1.1 2011/11/20 02:08:10 markd Exp $ don't interpret html tags. KDE Security Advisory 20111003-1 commit 90607b28d21fefc43657ca08b889bdb174c31fab Author: David Faure Date: Wed Sep 28 17:26:47 2011 +0200 Use HTML escaping on texts that come from the website Interestingly enough, this is yet another use case for moving Qt::escape to QtCore, which I made a merge request for. (cherry picked from commit 86622e4db182f4b914169f72ebd1e66d708e9f87) diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp index 33f4cb1..6447a02 100644 --- kioslave/http/http.cpp +++ kioslave/http/http.cpp @@@@ -99,6 +99,27 @@@@ //authentication handlers #include "httpauthentication.cpp" +// KDE5 TODO (QT5) : use QString::htmlEscape or whatever https://qt.gitorious.org/qt/qtbase/merge_requests/56 +// ends up with. +static QString htmlEscape(const QString &plain) +{ + QString rich; + rich.reserve(int(plain.length() * 1.1)); + for (int i = 0; i < plain.length(); ++i) { + if (plain.at(i) == QLatin1Char('<')) + rich += QLatin1String("<"); + else if (plain.at(i) == QLatin1Char('>')) + rich += QLatin1String(">"); + else if (plain.at(i) == QLatin1Char('&')) + rich += QLatin1String("&"); + else if (plain.at(i) == QLatin1Char('"')) + rich += QLatin1String("""); + else + rich += plain.at(i); + } + rich.squeeze(); + return rich; +} // see filenameFromUrl(): a sha1 hash is 160 bits static const int s_hashedUrlBits = 160; // this number should always be divisible by eight @@@@ -3410,7 +3431,7 @@@@ endParsing: authinfo.url = reqUrl; authinfo.keepPassword = true; authinfo.comment = i18n("%1 at %2", - authinfo.realmValue, authinfo.url.host()); + htmlEscape(authinfo.realmValue), authinfo.url.host()); if (!openPasswordDialog(authinfo, errorMsg)) { if (sendErrorPageNotification()) { @@@@ -5122,7 +5143,7 @@@@ void HTTPProtocol::proxyAuthenticationForSocket(const QNetworkProxy &proxy, QAut "to access any sites."); info.keepPassword = true; info.commentLabel = i18n("Proxy:"); - info.comment = i18n("%1 at %2", info.realmValue, m_request.proxyUrl.host()); + info.comment = i18n("%1 at %2", htmlEscape(info.realmValue), m_request.proxyUrl.host()); const bool dataEntered = openPasswordDialog(info, i18n("Proxy Authentication Failed.")); if (!dataEntered) { kDebug(7103) << "looks like the user canceled proxy authentication."; @ 1.1 log @don't interpret html tags. KDE Security Advisory 20111003-1 @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-kioslave_http_http.cpp was added on branch pkgsrc-2011Q3 on 2011-11-20 13:14:33 +0000 @ text @d1 64 @ 1.1.2.2 log @Pullup ticket #3613 - requested by markd x11/kdelibs4: security patch Revisions pulled up: - x11/kdelibs4/Makefile 1.30 via patch - x11/kdelibs4/distinfo 1.21 via patch - x11/kdelibs4/patches/patch-kio_kssl_ksslcertificatebox.cpp 1.1 - x11/kdelibs4/patches/patch-kioslave_http_http.cpp 1.1 --- Module Name: pkgsrc Committed By: markd Date: Sun Nov 20 02:08:11 UTC 2011 Modified Files: pkgsrc/x11/kdelibs4: Makefile distinfo Added Files: pkgsrc/x11/kdelibs4/patches: patch- kio_kssl_ksslcertificatebox.cpp patch-kioslave_http_http.cpp Log Message: don't interpret html tags. KDE Security Advisory 20111003-1 @ text @a0 64 $NetBSD$ don't interpret html tags. KDE Security Advisory 20111003-1 commit 90607b28d21fefc43657ca08b889bdb174c31fab Author: David Faure Date: Wed Sep 28 17:26:47 2011 +0200 Use HTML escaping on texts that come from the website Interestingly enough, this is yet another use case for moving Qt::escape to QtCore, which I made a merge request for. (cherry picked from commit 86622e4db182f4b914169f72ebd1e66d708e9f87) diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp index 33f4cb1..6447a02 100644 --- kioslave/http/http.cpp +++ kioslave/http/http.cpp @@@@ -99,6 +99,27 @@@@ //authentication handlers #include "httpauthentication.cpp" +// KDE5 TODO (QT5) : use QString::htmlEscape or whatever https://qt.gitorious.org/qt/qtbase/merge_requests/56 +// ends up with. +static QString htmlEscape(const QString &plain) +{ + QString rich; + rich.reserve(int(plain.length() * 1.1)); + for (int i = 0; i < plain.length(); ++i) { + if (plain.at(i) == QLatin1Char('<')) + rich += QLatin1String("<"); + else if (plain.at(i) == QLatin1Char('>')) + rich += QLatin1String(">"); + else if (plain.at(i) == QLatin1Char('&')) + rich += QLatin1String("&"); + else if (plain.at(i) == QLatin1Char('"')) + rich += QLatin1String("""); + else + rich += plain.at(i); + } + rich.squeeze(); + return rich; +} // see filenameFromUrl(): a sha1 hash is 160 bits static const int s_hashedUrlBits = 160; // this number should always be divisible by eight @@@@ -3410,7 +3431,7 @@@@ endParsing: authinfo.url = reqUrl; authinfo.keepPassword = true; authinfo.comment = i18n("%1 at %2", - authinfo.realmValue, authinfo.url.host()); + htmlEscape(authinfo.realmValue), authinfo.url.host()); if (!openPasswordDialog(authinfo, errorMsg)) { if (sendErrorPageNotification()) { @@@@ -5122,7 +5143,7 @@@@ void HTTPProtocol::proxyAuthenticationForSocket(const QNetworkProxy &proxy, QAut "to access any sites."); info.keepPassword = true; info.commentLabel = i18n("Proxy:"); - info.comment = i18n("%1 at %2", info.realmValue, m_request.proxyUrl.host()); + info.comment = i18n("%1 at %2", htmlEscape(info.realmValue), m_request.proxyUrl.host()); const bool dataEntered = openPasswordDialog(info, i18n("Proxy Authentication Failed.")); if (!dataEntered) { kDebug(7103) << "looks like the user canceled proxy authentication."; @