]>
Commit | Line | Data |
---|---|---|
0a9201ae AG |
1 | ------------------------------------------------------------------------ |
2 | r700053 | mueller | 2007-08-14 18:37:30 +0200 (Tue, 14 Aug 2007) | 2 lines | |
3 | ||
4 | be more robust against addressbar spoofing (CVE-2007-4225) | |
5 | ||
6 | ------------------------------------------------------------------------ | |
7 | --- kdecore/tests/kurltest.cpp | |
8 | +++ kdecore/tests/kurltest.cpp | |
9 | @@ -288,6 +288,16 @@ int main(int argc, char *argv[]) | |
10 | check("KURL::prettyURL()", url15582.prettyURL(), "http://alain.knaff.linux.lu/bug-reports/kde/percentage%in%url.html"); | |
11 | check("KURL::url()", url15582.url(), "http://alain.knaff.linux.lu/bug-reports/kde/percentage%25in%25url.html"); | |
12 | ||
13 | + KURL whitespaceInUser("http://www.google.com%20%20%20%20%20@foobar.com/"); | |
14 | + check("KURL::prettyURL()", whitespaceInUser.prettyURL(), "http://www.google.com%20%20%20%20%20@foobar.com/"); | |
15 | + | |
16 | + KURL whitespaceInPath("http://www.google.com/foo%20bar/"); | |
17 | + check("KURL::prettyURL()", whitespaceInPath.prettyURL(), "http://www.google.com/foo bar/"); | |
18 | + | |
19 | + KURL whitespaceInPath2("http://www.google.com/foo%20%20%20%20%20%20%20bar/"); | |
20 | + check("KURL::prettyURL()", whitespaceInPath2.prettyURL(), | |
21 | + "http://www.google.com/foo%20%20%20%20%20%20 bar/"); | |
22 | + | |
23 | KURL carsten; | |
24 | carsten.setPath("/home/gis/src/kde/kdelibs/kfile/.#kfiledetailview.cpp.1.18"); | |
25 | check("KURL::path()", carsten.path(), "/home/gis/src/kde/kdelibs/kfile/.#kfiledetailview.cpp.1.18"); | |
26 | @@ -594,6 +604,15 @@ int main(int argc, char *argv[]) | |
27 | check("http: URL with empty path string path", waba1.path(), | |
28 | ""); | |
29 | ||
30 | + waba1 = "http://www.meinestadt.de&url_plain=http"; | |
31 | + check("http: URL with empty path string", waba1.host(), | |
32 | + "www.meinestadt.de&url_plain=http"); | |
33 | + check("http: URL with empty path string", waba1.htmlURL(), | |
34 | + "http://www.meinestadt.de&url_plain=http"); | |
35 | + | |
36 | + check("http: URL with empty path string", waba1.path(), | |
37 | + ""); | |
38 | + | |
39 | waba1 = "http://a:389#b=c"; | |
40 | check( "http: URL with port, ref, and empty path; url", waba1.url(), "http://a:389#b=c" ); | |
41 | check( "http: URL with port, ref, and empty path; host", waba1.host(), "a" ); | |
42 | --- kdecore/kurl.cpp | |
43 | +++ kdecore/kurl.cpp | |
44 | @@ -183,7 +183,7 @@ static QString lazy_encode( const QStrin | |
45 | (character == '?') || // Start of query delimiter | |
46 | ((character == '@') && encodeAt) || // Username delimiter | |
47 | (character == '#') || // Start of reference delimiter | |
48 | - ((character == 32) && (i+1 == old_length))) // A trailing space | |
49 | + ((character == 32) && (i+1 == old_length || segment[i+1] == ' '))) // A trailing space | |
50 | { | |
51 | new_segment[ new_length++ ] = '%'; | |
52 | ||
53 | @@ -1540,7 +1540,7 @@ QString KURL::prettyURL( int _trailing ) | |
54 | u += "//"; | |
55 | if ( hasUser() ) | |
56 | { | |
57 | - u += lazy_encode(m_strUser); | |
58 | + u += encode(m_strUser, 0, 0); | |
59 | // Don't show password! | |
60 | u += "@"; | |
61 | } |