Hello community,
here is the log from the commit of package kdelibs4 for openSUSE:Factory
checked in at 2017-03-05 17:56:53
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kdelibs4 (Old)
and /work/SRC/openSUSE:Factory/.kdelibs4.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kdelibs4"
Sun Mar 5 17:56:53 2017 rev:291 rq:461717 version:4.14.29
Changes:
--------
--- /work/SRC/openSUSE:Factory/kdelibs4/kdelibs4.changes 2017-02-13
07:45:14.487531662 +0100
+++ /work/SRC/openSUSE:Factory/.kdelibs4.new/kdelibs4.changes 2017-03-05
17:56:54.492077382 +0100
@@ -1,0 +2,6 @@
+Wed Mar 1 20:55:31 UTC 2017 - fab...@ritter-vogt.de
+
+- Add upstream patch to fix kio security issue (boo#1027520)
+ * kio-sanitize-url-for-proxy.patch
+
+-------------------------------------------------------------------
New:
----
kio-sanitize-url-for-proxy.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ kdelibs4-apidocs.spec ++++++
--- /var/tmp/diff_new_pack.NbcPjs/_old 2017-03-05 17:56:55.423945484 +0100
+++ /var/tmp/diff_new_pack.NbcPjs/_new 2017-03-05 17:56:55.427944918 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kdelibs4-apidocs
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
++++++ kdelibs4.spec ++++++
--- /var/tmp/diff_new_pack.NbcPjs/_old 2017-03-05 17:56:55.443942654 +0100
+++ /var/tmp/diff_new_pack.NbcPjs/_new 2017-03-05 17:56:55.447942088 +0100
@@ -1,7 +1,7 @@
#
# spec file for package kdelibs4
#
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -88,6 +88,8 @@
Patch15: 0001-Drop-Nepomuk-from-KParts-LINK_INTERFACE_LIBRARIES.patch
# PATCH-FIX-OPENSUSE gcc6-fix-errors.patch -- Fix errors spotted by GCC6.
Patch17: gcc6-fix-errors.patch
+# PATCH-FIX-UPSTREAM kio-sanitize-url-for-proxy.patch
+Patch18: kio-sanitize-url-for-proxy.patch
PreReq: permissions
Requires: libattica0_4 >= %( echo `rpm -q --queryformat '%{VERSION}'
libattica-devel`)
Recommends: media-player-info
@@ -144,6 +146,7 @@
%patch12 -p1
%patch15 -p1
%patch17
+%patch18 -p1
%build
EXTRA_FLAGS="-DLIB_INSTALL_DIR=%{_kde4_libdir} \
++++++ kio-sanitize-url-for-proxy.patch ++++++
>From 1804c2fde7bf4e432c6cf5bb8cce5701c7010559 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aa...@kde.org>
Date: Tue, 28 Feb 2017 19:08:50 +0100
Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
Remove user/password information
For https: remove path and query
Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
---
kio/misc/kpac/script.cpp | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp
index a595301..9ab360a 100644
--- a/kio/misc/kpac/script.cpp
+++ b/kio/misc/kpac/script.cpp
@@ -754,9 +754,16 @@ namespace KPAC
}
}
+ KUrl cleanUrl = url;
+ cleanUrl.setUserInfo(QString());
+ if (cleanUrl.scheme().toLower() == QLatin1String("https")) {
+ cleanUrl.setPath(QString());
+ cleanUrl.setQuery(QString());
+ }
+
QScriptValueList args;
- args << url.url();
- args << url.host();
+ args << cleanUrl.url();
+ args << cleanUrl.host();
QScriptValue result = func.call(QScriptValue(), args);
if (result.isError()) {
