aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlbert Astals Cid <aacid@kde.org>2017-02-28 18:00:48 (GMT)
committerAlbert Astals Cid <aacid@kde.org>2017-02-28 18:02:17 (GMT)
commitf9d0cb47cf94e209f6171ac0e8d774e68156a6e4 (patch)
tree97c12b8c5b384307e8fd0f18c755a043eac67242
parentcae36e0efc65ab27c453896a6cf1976edf02a3fa (diff)
Sanitize URLs before passing them to FindProxyForURL
Remove user/password information For https: remove path and query Thanks to safebreach.com for reporting the problem CCMAIL: yoni.fridburg@safebreach.com CCMAIL: amit.klein@safebreach.com CCMAIL: itzik.kotler@safebreach.com
-rw-r--r--src/kpac/script.cpp11
1 files changed, 9 insertions, 2 deletions
diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
index a0235f7..2485c54 100644
--- a/src/kpac/script.cpp
+++ b/src/kpac/script.cpp
@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
}
}
+ QUrl cleanUrl = url;
+ cleanUrl.setUserInfo(QString());
+ if (cleanUrl.scheme() == QLatin1String("https")) {
+ cleanUrl.setPath(QString());
+ cleanUrl.setQuery(QString());
+ }
+
QScriptValueList args;
- args << url.url();
- args << url.host();
+ args << cleanUrl.url();
+ args << cleanUrl.host();
QScriptValue result = func.call(QScriptValue(), args);
if (result.isError()) {