don't interpret html tags. KDE Security Advisory 20111003-1

4 files changed, 86 insertions, 3 deletions

diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
index 0bbd2507d11..6cb3dc181a8 100644
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.29 2011/11/01 06:03:02 sbd Exp $
+# $NetBSD: Makefile,v 1.30 2011/11/20 02:08:10 markd Exp $
 
 DISTNAME=	kdelibs-${_KDE_VERSION}
-PKGREVISION=	7
+PKGREVISION=	8
 CATEGORIES=	x11
 COMMENT=	Support libraries for the KDE integrated X11 desktop
 
diff --git a/x11/kdelibs4/distinfo b/x11/kdelibs4/distinfo
index 381f43580f7..ed54ad582df 100644
--- a/x11/kdelibs4/distinfo
+++ b/x11/kdelibs4/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2011/11/01 15:55:12 hans Exp $
+$NetBSD: distinfo,v 1.21 2011/11/20 02:08:10 markd Exp $
 
 SHA1 (kdelibs-4.5.5.tar.bz2) = 127a2b50fe31ff345e05660dd50f7c55ae78d854
 RMD160 (kdelibs-4.5.5.tar.bz2) = 7c33afa12379119fbf7d70e8895c3f2ada9a2eba
@@ -17,4 +17,6 @@ SHA1 (patch-an) = b5fe924970772bd8a5b420f8cc638ab8bf892c53
 SHA1 (patch-cmake_modules_FindTaglib.cmake) = 97baf0e5c9f53a17582d89ee41cb4d99fbd15424
 SHA1 (patch-kdeui_colors_kcolordialog.cpp) = f105006a778c42a93452fc4bf5d561aa62595a5c
 SHA1 (patch-khtml_khtml_part.cpp) = f8f5977b03463b6de909881178abed3ba351364c
+SHA1 (patch-kio_kssl_ksslcertificatebox.cpp) = 1f187968a49e251fbdbbf2569e4703ac05b474be
+SHA1 (patch-kioslave_http_http.cpp) = abd6446120fab21cd30da3e9e1fdc00218802d89
 SHA1 (patch-kjs_JSImmediate.h) = 29949739140d766362d308ece28c96aef593ed73
diff --git a/x11/kdelibs4/patches/patch-kio_kssl_ksslcertificatebox.cpp b/x11/kdelibs4/patches/patch-kio_kssl_ksslcertificatebox.cpp
new file mode 100644
index 00000000000..0721c4cfcea
--- /dev/null
+++ b/x11/kdelibs4/patches/patch-kio_kssl_ksslcertificatebox.cpp
@@ -0,0 +1,17 @@
+$NetBSD: patch-kio_kssl_ksslcertificatebox.cpp,v 1.1 2011/11/20 02:08:10 markd Exp $
+
+don't interpret html tags. KDE Security Advisory 20111003-1
+
+--- kio/kssl/ksslcertificatebox.cpp.orig	2008-05-21 11:08:14.000000000 +0000
++++ kio/kssl/ksslcertificatebox.cpp
+@@ -36,6 +36,10 @@ KSslCertificateBox::KSslCertificateBox(Q
+    d(new KSslCertificateBoxPrivate())
+ {
+     d->ui.setupUi(this);
++    // No fooling us with html tags
++    Q_FOREACH(QLabel* label, qFindChildren<QLabel *>(this)) {
++        label->setTextFormat(Qt::PlainText);
++    }
+ }
+ 
+ 
diff --git a/x11/kdelibs4/patches/patch-kioslave_http_http.cpp b/x11/kdelibs4/patches/patch-kioslave_http_http.cpp
new file mode 100644
index 00000000000..c792bc9f50e
--- /dev/null
+++ b/x11/kdelibs4/patches/patch-kioslave_http_http.cpp
@@ -0,0 +1,64 @@
+$NetBSD: patch-kioslave_http_http.cpp,v 1.1 2011/11/20 02:08:10 markd Exp $
+
+don't interpret html tags. KDE Security Advisory 20111003-1
+
+commit 90607b28d21fefc43657ca08b889bdb174c31fab
+Author: David Faure <faure@kde.org>
+Date:   Wed Sep 28 17:26:47 2011 +0200
+
+    Use HTML escaping on texts that come from the website
+    
+    Interestingly enough, this is yet another use case for moving Qt::escape
+    to QtCore, which I made a merge request for.
+    (cherry picked from commit 86622e4db182f4b914169f72ebd1e66d708e9f87)
+
+diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
+index 33f4cb1..6447a02 100644
+--- kioslave/http/http.cpp
++++ kioslave/http/http.cpp
+@@ -99,6 +99,27 @@
+ //authentication handlers
+ #include "httpauthentication.cpp"
+ 
++// KDE5 TODO (QT5) : use QString::htmlEscape or whatever https://qt.gitorious.org/qt/qtbase/merge_requests/56
++// ends up with.
++static QString htmlEscape(const QString &plain)
++{
++    QString rich;
++    rich.reserve(int(plain.length() * 1.1));
++        for (int i = 0; i < plain.length(); ++i) {
++        if (plain.at(i) == QLatin1Char('<'))
++            rich += QLatin1String("&lt;");
++        else if (plain.at(i) == QLatin1Char('>'))
++            rich += QLatin1String("&gt;");
++        else if (plain.at(i) == QLatin1Char('&'))
++            rich += QLatin1String("&amp;");
++        else if (plain.at(i) == QLatin1Char('"'))
++            rich += QLatin1String("&quot;");
++        else
++            rich += plain.at(i);
++    }
++    rich.squeeze();
++    return rich;
++}
+ 
+ // see filenameFromUrl(): a sha1 hash is 160 bits
+ static const int s_hashedUrlBits = 160;   // this number should always be divisible by eight
+@@ -3410,7 +3431,7 @@ endParsing:
+                                 authinfo.url = reqUrl;
+                                 authinfo.keepPassword = true;
+                                 authinfo.comment = i18n("<b>%1</b> at <b>%2</b>",
+-                                                        authinfo.realmValue, authinfo.url.host());
++                                                        htmlEscape(authinfo.realmValue), authinfo.url.host());
+ 
+                                 if (!openPasswordDialog(authinfo, errorMsg)) {
+                                     if (sendErrorPageNotification()) {
+@@ -5122,7 +5143,7 @@ void HTTPProtocol::proxyAuthenticationForSocket(const QNetworkProxy &proxy, QAut
+                            "to access any sites.");
+         info.keepPassword = true;
+         info.commentLabel = i18n("Proxy:");
+-        info.comment = i18n("<b>%1</b> at <b>%2</b>", info.realmValue, m_request.proxyUrl.host());
++        info.comment = i18n("<b>%1</b> at <b>%2</b>", htmlEscape(info.realmValue), m_request.proxyUrl.host());
+         const bool dataEntered = openPasswordDialog(info, i18n("Proxy Authentication Failed."));
+         if (!dataEntered) {
+             kDebug(7103) << "looks like the user canceled proxy authentication.";