Hello community, here is the log from the commit of package kio for openSUSE:Factory checked in at 2017-03-03 17:30:57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kio (Old) and /work/SRC/openSUSE:Factory/.kio.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "kio" Fri Mar 3 17:30:57 2017 rev:43 rq:461718 version:5.31.0 Changes: -------- --- /work/SRC/openSUSE:Factory/kio/kio.changes 2017-02-03 17:45:15.376539096 +0100 +++ /work/SRC/openSUSE:Factory/.kio.new/kio.changes 2017-03-03 17:30:59.207995820 +0100 @@ -1,0 +2,13 @@ +Wed Mar 1 21:02:49 UTC 2017 - fabian@ritter-vogt.de + +- Add patch to fix security issue with proxy configuration (boo#1027520) + * sanitize-url-for-proxy.patch + +------------------------------------------------------------------- +Thu Feb 9 09:30:01 UTC 2017 - hrvoje.senjan@gmail.com + +- Update to 5.31.0 + * For more details please see: + https://www.kde.org/announcements/kde-frameworks-5.31.0.php + +------------------------------------------------------------------- Old: ---- kio-5.30.0.tar.xz New: ---- kio-5.31.0.tar.xz sanitize-url-for-proxy.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kio.spec ++++++ --- /var/tmp/diff_new_pack.zIlUPE/_old 2017-03-03 17:31:00.579801998 +0100 +++ /var/tmp/diff_new_pack.zIlUPE/_new 2017-03-03 17:31:00.583801433 +0100 @@ -17,9 +17,9 @@ %bcond_without lang -%define _tar_path 5.30 +%define _tar_path 5.31 Name: kio -Version: 5.30.0 +Version: 5.31.0 Release: 0 %define kf5_version %{version} BuildRequires: cmake >= 3.0 @@ -49,15 +49,15 @@ BuildRequires: libacl-devel BuildRequires: libattr-devel BuildRequires: solid-devel >= %{_tar_path} -BuildRequires: cmake(Qt5Concurrent) >= 5.5.0 -BuildRequires: cmake(Qt5Core) >= 5.5.0 -BuildRequires: cmake(Qt5DBus) >= 5.5.0 -BuildRequires: cmake(Qt5Network) >= 5.5.0 -BuildRequires: cmake(Qt5Script) >= 5.5.0 -BuildRequires: cmake(Qt5Test) >= 5.5.0 -BuildRequires: cmake(Qt5Widgets) >= 5.5.0 -BuildRequires: cmake(Qt5X11Extras) >= 5.5.0 -BuildRequires: cmake(Qt5Xml) >= 5.5.0 +BuildRequires: cmake(Qt5Concurrent) >= 5.6.0 +BuildRequires: cmake(Qt5Core) >= 5.6.0 +BuildRequires: cmake(Qt5DBus) >= 5.6.0 +BuildRequires: cmake(Qt5Network) >= 5.6.0 +BuildRequires: cmake(Qt5Script) >= 5.6.0 +BuildRequires: cmake(Qt5Test) >= 5.6.0 +BuildRequires: cmake(Qt5Widgets) >= 5.6.0 +BuildRequires: cmake(Qt5X11Extras) >= 5.6.0 +BuildRequires: cmake(Qt5Xml) >= 5.6.0 BuildRequires: pkgconfig(openssl) BuildRequires: pkgconfig(x11) Requires: %{name}-core = %{version} @@ -75,6 +75,8 @@ Source1: baselibs.conf # PATCH-FIX-OPENSUSE kio_help-fallback-to-kde4-docs.patch -- allow kio_help to see into kde4 documentation, needed especially for khelpcenter5 Patch0: kio_help-fallback-to-kde4-docs.patch +# PATCH-FIX-UPSTREAM sanitize-url-for-proxy.patch +Patch1: sanitize-url-for-proxy.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -84,8 +86,8 @@ %package core Summary: Network transparent access to files and data -Group: System/GUI/KDE # core subpackage created with 5.9.0 +Group: System/GUI/KDE Conflicts: kio <= 5.8.0 %description core @@ -109,7 +111,7 @@ Requires: kservice-devel >= %{_tar_path} Requires: kxmlgui-devel >= %{_tar_path} Requires: solid-devel >= %{_tar_path} -Requires: cmake(Qt5Network) >= 5.5.0 +Requires: cmake(Qt5Network) >= 5.6.0 %description devel This framework implements almost all the file management functions you @@ -121,6 +123,7 @@ %prep %setup -q %patch0 -p1 +%patch1 -p1 %build %cmake_kf5 -d build ++++++ kio-5.30.0.tar.xz -> kio-5.31.0.tar.xz ++++++ ++++ 35620 lines of diff (skipped) ++++++ sanitize-url-for-proxy.patch ++++++
From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001 From: Albert Astals Cid <aacid@kde.org> Date: Tue, 28 Feb 2017 19:00:48 +0100 Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL
Remove user/password information For https: remove path and query Thanks to safebreach.com for reporting the problem CCMAIL: yoni.fridburg@safebreach.com CCMAIL: amit.klein@safebreach.com CCMAIL: itzik.kotler@safebreach.com --- src/kpac/script.cpp | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp index a0235f7..2485c54 100644 --- a/src/kpac/script.cpp +++ b/src/kpac/script.cpp @@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url) } } + QUrl cleanUrl = url; + cleanUrl.setUserInfo(QString()); + if (cleanUrl.scheme() == QLatin1String("https")) { + cleanUrl.setPath(QString()); + cleanUrl.setQuery(QString()); + } + QScriptValueList args; - args << url.url(); - args << url.host(); + args << cleanUrl.url(); + args << cleanUrl.host(); QScriptValue result = func.call(QScriptValue(), args); if (result.isError()) {