On Thursday, May 09, 2013 06:06:58 AM Johannes Huber wrote: > Am Mittwoch, 8. Mai 2013, 19:50:03 schrieb Allen Winter: > > Packagers, > > > > You might consider hot-patching your kdelibs with this. > > The code that conceivably might display a user password has been in kdelibs > > since 2009-07-08 Probably means whatever kdelibs 4.x you are shipping needs > > this fix. > > > > > > ---------- Forwarded Message ---------- > > > > Subject: [kdelibs/KDE/4.10] kioslave/http: Don't show passwords contained in > > HTTP URLs in error messages Date: Wednesday, May 08, 2013, 11:38:51 PM > > From: Grégory Oestreicher <g...@kamago.net> > > To: kde-comm...@kde.org > > > > Git commit 65d736dab592bced4410ccfa4699de89f78c96ca by Grégory Oestreicher. > > Committed on 08/05/2013 at 23:16. > > Pushed by goestreicher into branch 'KDE/4.10'. > > > > Don't show passwords contained in HTTP URLs in error messages > > BUG: 319428 > > > > M +3 -3 kioslave/http/http.cpp > > > > http://commits.kde.org/kdelibs/65d736dab592bced4410ccfa4699de89f78c96ca > > > > diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp > > index 2d139a9..129fc7b 100644 > > --- a/kioslave/http/http.cpp > > +++ b/kioslave/http/http.cpp > > @@ -3056,7 +3056,7 @@ try_again: > > ; // Ignore error > > } else { > > if (!sendErrorPageNotification()) { > > - error(ERR_INTERNAL_SERVER, m_request.url.url()); > > + error(ERR_INTERNAL_SERVER, m_request.url.prettyUrl()); > > return false; > > } > > } > > @@ -3072,9 +3072,9 @@ try_again: > > // Tell that we will only get an error page here. > > if (!sendErrorPageNotification()) { > > if (m_request.responseCode == 403) > > - error(ERR_ACCESS_DENIED, m_request.url.url()); > > + error(ERR_ACCESS_DENIED, m_request.url.prettyUrl()); > > else > > - error(ERR_DOES_NOT_EXIST, m_request.url.url()); > > + error(ERR_DOES_NOT_EXIST, m_request.url.prettyUrl()); > > return false; > > } > > } else if (m_request.responseCode >= 301 && m_request.responseCode<= > > 303) { > > > > ----------------------------------------- > > _______________________________________________ > > Kde-packager mailing list > > kde-packa...@kde.org > > https://mail.kde.org/mailman/listinfo/kde-packager > > Hello Allen, > > thanks for the patch. Is there an CVE for this issue? > No. This came about from a normal user bug report 319428 we saw in kdepim a couple days ago.
-Allen _______________________________________________ release-team mailing list release-team@kde.org https://mail.kde.org/mailman/listinfo/release-team