From c4ffef588df688ce72614aa24b44fe93165ec722 Mon Sep 17 00:00:00 2001 From: tron Date: Sun, 20 Nov 2011 13:14:33 +0000 Subject: Pullup ticket #3613 - requested by markd x11/kdelibs4: security patch Revisions pulled up: - x11/kdelibs4/Makefile 1.30 via patch - x11/kdelibs4/distinfo 1.21 via patch - x11/kdelibs4/patches/patch-kio_kssl_ksslcertificatebox.cpp 1.1 - x11/kdelibs4/patches/patch-kioslave_http_http.cpp 1.1 --- Module Name: pkgsrc Committed By: markd Date: Sun Nov 20 02:08:11 UTC 2011 Modified Files: pkgsrc/x11/kdelibs4: Makefile distinfo Added Files: pkgsrc/x11/kdelibs4/patches: patch- kio_kssl_ksslcertificatebox.cpp patch-kioslave_http_http.cpp Log Message: don't interpret html tags. KDE Security Advisory 20111003-1 --- x11/kdelibs4/Makefile | 4 +- x11/kdelibs4/distinfo | 4 +- .../patches/patch-kio_kssl_ksslcertificatebox.cpp | 17 ++++++ x11/kdelibs4/patches/patch-kioslave_http_http.cpp | 64 ++++++++++++++++++++++ 4 files changed, 86 insertions(+), 3 deletions(-) create mode 100644 x11/kdelibs4/patches/patch-kio_kssl_ksslcertificatebox.cpp create mode 100644 x11/kdelibs4/patches/patch-kioslave_http_http.cpp diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile index 5ceb5203eef..5a8735d4619 100644 --- a/x11/kdelibs4/Makefile +++ b/x11/kdelibs4/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.28 2011/09/29 19:31:58 markd Exp $ +# $NetBSD: Makefile,v 1.28.2.1 2011/11/20 13:14:33 tron Exp $ DISTNAME= kdelibs-${_KDE_VERSION} -PKGREVISION= 6 +PKGREVISION= 8 CATEGORIES= x11 COMMENT= Support libraries for the KDE integrated X11 desktop diff --git a/x11/kdelibs4/distinfo b/x11/kdelibs4/distinfo index 081742eff76..f49d16d071e 100644 --- a/x11/kdelibs4/distinfo +++ b/x11/kdelibs4/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.19 2011/09/27 10:48:20 markd Exp $ +$NetBSD: distinfo,v 1.19.2.1 2011/11/20 13:14:33 tron Exp $ SHA1 (kdelibs-4.5.5.tar.bz2) = 127a2b50fe31ff345e05660dd50f7c55ae78d854 RMD160 (kdelibs-4.5.5.tar.bz2) = 7c33afa12379119fbf7d70e8895c3f2ada9a2eba @@ -17,3 +17,5 @@ SHA1 (patch-an) = b5fe924970772bd8a5b420f8cc638ab8bf892c53 SHA1 (patch-cmake_modules_FindTaglib.cmake) = 97baf0e5c9f53a17582d89ee41cb4d99fbd15424 SHA1 (patch-kdeui_colors_kcolordialog.cpp) = f105006a778c42a93452fc4bf5d561aa62595a5c SHA1 (patch-khtml_khtml_part.cpp) = f8f5977b03463b6de909881178abed3ba351364c +SHA1 (patch-kio_kssl_ksslcertificatebox.cpp) = 1f187968a49e251fbdbbf2569e4703ac05b474be +SHA1 (patch-kioslave_http_http.cpp) = abd6446120fab21cd30da3e9e1fdc00218802d89 diff --git a/x11/kdelibs4/patches/patch-kio_kssl_ksslcertificatebox.cpp b/x11/kdelibs4/patches/patch-kio_kssl_ksslcertificatebox.cpp new file mode 100644 index 00000000000..ca766e235ac --- /dev/null +++ b/x11/kdelibs4/patches/patch-kio_kssl_ksslcertificatebox.cpp @@ -0,0 +1,17 @@ +$NetBSD: patch-kio_kssl_ksslcertificatebox.cpp,v 1.1.2.2 2011/11/20 13:14:33 tron Exp $ + +don't interpret html tags. KDE Security Advisory 20111003-1 + +--- kio/kssl/ksslcertificatebox.cpp.orig 2008-05-21 11:08:14.000000000 +0000 ++++ kio/kssl/ksslcertificatebox.cpp +@@ -36,6 +36,10 @@ KSslCertificateBox::KSslCertificateBox(Q + d(new KSslCertificateBoxPrivate()) + { + d->ui.setupUi(this); ++ // No fooling us with html tags ++ Q_FOREACH(QLabel* label, qFindChildren(this)) { ++ label->setTextFormat(Qt::PlainText); ++ } + } + + diff --git a/x11/kdelibs4/patches/patch-kioslave_http_http.cpp b/x11/kdelibs4/patches/patch-kioslave_http_http.cpp new file mode 100644 index 00000000000..b7ae1abfa59 --- /dev/null +++ b/x11/kdelibs4/patches/patch-kioslave_http_http.cpp @@ -0,0 +1,64 @@ +$NetBSD: patch-kioslave_http_http.cpp,v 1.1.2.2 2011/11/20 13:14:33 tron Exp $ + +don't interpret html tags. KDE Security Advisory 20111003-1 + +commit 90607b28d21fefc43657ca08b889bdb174c31fab +Author: David Faure +Date: Wed Sep 28 17:26:47 2011 +0200 + + Use HTML escaping on texts that come from the website + + Interestingly enough, this is yet another use case for moving Qt::escape + to QtCore, which I made a merge request for. + (cherry picked from commit 86622e4db182f4b914169f72ebd1e66d708e9f87) + +diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp +index 33f4cb1..6447a02 100644 +--- kioslave/http/http.cpp ++++ kioslave/http/http.cpp +@@ -99,6 +99,27 @@ + //authentication handlers + #include "httpauthentication.cpp" + ++// KDE5 TODO (QT5) : use QString::htmlEscape or whatever https://qt.gitorious.org/qt/qtbase/merge_requests/56 ++// ends up with. ++static QString htmlEscape(const QString &plain) ++{ ++ QString rich; ++ rich.reserve(int(plain.length() * 1.1)); ++ for (int i = 0; i < plain.length(); ++i) { ++ if (plain.at(i) == QLatin1Char('<')) ++ rich += QLatin1String("<"); ++ else if (plain.at(i) == QLatin1Char('>')) ++ rich += QLatin1String(">"); ++ else if (plain.at(i) == QLatin1Char('&')) ++ rich += QLatin1String("&"); ++ else if (plain.at(i) == QLatin1Char('"')) ++ rich += QLatin1String("""); ++ else ++ rich += plain.at(i); ++ } ++ rich.squeeze(); ++ return rich; ++} + + // see filenameFromUrl(): a sha1 hash is 160 bits + static const int s_hashedUrlBits = 160; // this number should always be divisible by eight +@@ -3410,7 +3431,7 @@ endParsing: + authinfo.url = reqUrl; + authinfo.keepPassword = true; + authinfo.comment = i18n("%1 at %2", +- authinfo.realmValue, authinfo.url.host()); ++ htmlEscape(authinfo.realmValue), authinfo.url.host()); + + if (!openPasswordDialog(authinfo, errorMsg)) { + if (sendErrorPageNotification()) { +@@ -5122,7 +5143,7 @@ void HTTPProtocol::proxyAuthenticationForSocket(const QNetworkProxy &proxy, QAut + "to access any sites."); + info.keepPassword = true; + info.commentLabel = i18n("Proxy:"); +- info.comment = i18n("%1 at %2", info.realmValue, m_request.proxyUrl.host()); ++ info.comment = i18n("%1 at %2", htmlEscape(info.realmValue), m_request.proxyUrl.host()); + const bool dataEntered = openPasswordDialog(info, i18n("Proxy Authentication Failed.")); + if (!dataEntered) { + kDebug(7103) << "looks like the user canceled proxy authentication."; -- cgit v1.2.3