Hello community, here is the log from the commit of package kdelibs4 for openSUSE:Factory checked in at 2017-03-05 17:56:53 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kdelibs4 (Old) and /work/SRC/openSUSE:Factory/.kdelibs4.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kdelibs4" Sun Mar 5 17:56:53 2017 rev:291 rq:461717 version:4.14.29 Changes: -------- --- /work/SRC/openSUSE:Factory/kdelibs4/kdelibs4.changes 2017-02-13 07:45:14.487531662 +0100 +++ /work/SRC/openSUSE:Factory/.kdelibs4.new/kdelibs4.changes 2017-03-05 17:56:54.492077382 +0100 @@ -1,0 +2,6 @@ +Wed Mar 1 20:55:31 UTC 2017 - fab...@ritter-vogt.de + +- Add upstream patch to fix kio security issue (boo#1027520) + * kio-sanitize-url-for-proxy.patch + +------------------------------------------------------------------- New: ---- kio-sanitize-url-for-proxy.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kdelibs4-apidocs.spec ++++++ --- /var/tmp/diff_new_pack.NbcPjs/_old 2017-03-05 17:56:55.423945484 +0100 +++ /var/tmp/diff_new_pack.NbcPjs/_new 2017-03-05 17:56:55.427944918 +0100 @@ -1,7 +1,7 @@ # # spec file for package kdelibs4-apidocs # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed ++++++ kdelibs4.spec ++++++ --- /var/tmp/diff_new_pack.NbcPjs/_old 2017-03-05 17:56:55.443942654 +0100 +++ /var/tmp/diff_new_pack.NbcPjs/_new 2017-03-05 17:56:55.447942088 +0100 @@ -1,7 +1,7 @@ # # spec file for package kdelibs4 # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -88,6 +88,8 @@ Patch15: 0001-Drop-Nepomuk-from-KParts-LINK_INTERFACE_LIBRARIES.patch # PATCH-FIX-OPENSUSE gcc6-fix-errors.patch -- Fix errors spotted by GCC6. Patch17: gcc6-fix-errors.patch +# PATCH-FIX-UPSTREAM kio-sanitize-url-for-proxy.patch +Patch18: kio-sanitize-url-for-proxy.patch PreReq: permissions Requires: libattica0_4 >= %( echo `rpm -q --queryformat '%{VERSION}' libattica-devel`) Recommends: media-player-info @@ -144,6 +146,7 @@ %patch12 -p1 %patch15 -p1 %patch17 +%patch18 -p1 %build EXTRA_FLAGS="-DLIB_INSTALL_DIR=%{_kde4_libdir} \ ++++++ kio-sanitize-url-for-proxy.patch ++++++ >From 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid <aa...@kde.org> Date: Tue, 28 Feb 2017 19:08:50 +0100 Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL Remove user/password information For https: remove path and query Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 --- kio/misc/kpac/script.cpp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp index a595301..9ab360a 100644 --- a/kio/misc/kpac/script.cpp +++ b/kio/misc/kpac/script.cpp @@ -754,9 +754,16 @@ namespace KPAC } } + KUrl cleanUrl = url; + cleanUrl.setUserInfo(QString()); + if (cleanUrl.scheme().toLower() == QLatin1String("https")) { + cleanUrl.setPath(QString()); + cleanUrl.setQuery(QString()); + } + QScriptValueList args; - args << url.url(); - args << url.host(); + args << cleanUrl.url(); + args << cleanUrl.host(); QScriptValue result = func.call(QScriptValue(), args); if (result.isError()) {