summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch')
-rw-r--r--kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch135
1 files changed, 135 insertions, 0 deletions
diff --git a/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch
new file mode 100644
index 000000000000..9bea5726d037
--- /dev/null
+++ b/kde-apps/kdepimlibs/files/kdepimlibs-CVE-2016-7966-r1.patch
@@ -0,0 +1,135 @@
+From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001
+From: Montel Laurent <montel@kde.org>
+Date: Fri, 30 Sep 2016 15:55:35 +0200
+Subject: [PATCH] Backport avoid to transform as a url when we have a quote
+
+---
+ kpimutils/linklocator.cpp | 30 +++++++++++++++++++++++++++---
+ kpimutils/linklocator.h | 3 ++-
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp
+index f5d9afd..f30e8fc 100644
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const
+
+ QString LinkLocator::getUrl()
+ {
++ return getUrlAndCheckValidHref();
++}
++
++
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
++{
+ QString url;
+ if ( atUrl() ) {
+ // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially appendix-C
+@@ -129,13 +135,26 @@ QString LinkLocator::getUrl()
+
+ url.reserve( maxUrlLen() ); // avoid allocs
+ int start = mPos;
++ bool previousCharIsADoubleQuote = false;
+ while ( ( mPos < (int)mText.length() ) &&
+ ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
+ ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
+ ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
+ if ( !mText[mPos].isSpace() ) { // skip whitespace
+- url.append( mText[mPos] );
+- if ( url.length() > maxUrlLen() ) {
++ if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++ //it's an invalid url
++ if (badurl) {
++ *badurl = true;
++ }
++ return QString();
++ }
++ if (mText[mPos] == QLatin1Char('"')) {
++ previousCharIsADoubleQuote = true;
++ } else {
++ previousCharIsADoubleQuote = false;
++ }
++ url.append( mText[mPos] );
++ if ( url.length() > maxUrlLen() ) {
+ break;
+ }
+ }
+@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString &plainText, int flags,
+ } else {
+ const int start = locator.mPos;
+ if ( !( flags & IgnoreUrls ) ) {
+- str = locator.getUrl();
++ bool badUrl = false;
++ str = locator.getUrlAndCheckValidHref(&badUrl);
++ if (badUrl) {
++ return locator.mText;
++ }
++
+ if ( !str.isEmpty() ) {
+ QString hyperlink;
+ if ( str.left( 4 ) == QLatin1String("www.") ) {
+diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h
+index 3049397..375498d 100644
+--- a/kpimutils/linklocator.h
++++ b/kpimutils/linklocator.h
+@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator
+ @return The URL at the current scan position, or an empty string.
+ */
+ QString getUrl();
++ QString getUrlAndCheckValidHref(bool *badurl = 0);
+
+ /**
+ Attempts to grab an email address. If there is an @ symbol at the
+@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator
+ */
+ static QString pngToDataUrl( const QString & iconPath );
+
+- protected:
++protected:
+ /**
+ The plaintext string being scanned for URLs and email addresses.
+ */
+--
+2.7.3
+
+From 8bbe1bd3fdc55f609340edc667ff154b3d2aaab1 Mon Sep 17 00:00:00 2001
+From: Montel Laurent <montel@kde.org>
+Date: Tue, 11 Oct 2016 11:47:41 +0200
+Subject: [PATCH] Backport show bad url text
+
+---
+ kpimutils/linklocator.cpp | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp
+index f30e8fc..4abe968 100644
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -389,7 +389,23 @@ QString LinkLocator::convertToHtml( const QString &plainText, int flags,
+ bool badUrl = false;
+ str = locator.getUrlAndCheckValidHref(&badUrl);
+ if (badUrl) {
+- return locator.mText;
++ QString resultBadUrl;
++ const int helperTextSize(locator.mText.count());
++ for (int i = 0; i < helperTextSize; ++i) {
++ const QChar chBadUrl = locator.mText[i];
++ if (chBadUrl == QLatin1Char('&')) {
++ resultBadUrl += QLatin1String("&amp;");
++ } else if (chBadUrl == QLatin1Char('"')) {
++ resultBadUrl += QLatin1String("&quot;");
++ } else if (chBadUrl == QLatin1Char('<')) {
++ resultBadUrl += QLatin1String("&lt;");
++ } else if (chBadUrl == QLatin1Char('>')) {
++ resultBadUrl += QLatin1String("&gt;");
++ } else {
++ resultBadUrl += chBadUrl;
++ }
++ }
++ return resultBadUrl;
+ }
+
+ if ( !str.isEmpty() ) {
+--
+2.7.3
+