Subject: krusader: Security hole in Popular URL-s Package: krusader Version: 1.60.0-3 Severity: important Tags: patch
Hi List, The Popular URL class saved the passwords in cleartext into krusaderrc file. The passwords are saved when: - entering URL-s like 'protocol://user:[EMAIL PROTECTED]' into the panel's URL field. The passwords are not saved when: - using the FTP new connection dialog - using 'protocol://[EMAIL PROTECTED]' and entering the password later Yesterday Csaba Karai has committed a patch which solves that problem in krusader-cvs, so CVS works fine. http://cvs.sourceforge.net/viewcvs.py/krusader/krusader_kde3/krusader/Dialogs/popularurls.cpp?rev=1.10&view=log http://cvs.sourceforge.net/viewcvs.py/krusader/krusader_kde3/krusader/Dialogs/popularurls.cpp?r1=1.9&r2=1.10 The bug is not serious as accessing to the krusaderrc file requires owner permission. Affected Debian versions: 1.60.0-1, 1.60.0-2, 1.60.0-3 Affected Source tarballs: - krusader-1.60.0 - krusader-1.70.0-beta1 This bug is fixed in the upcomming krusader-1.70.0-beta2 source tarball. More information in the Krusader forum: http://www.krusader.org/phpBB/viewtopic.php?t=1367 And in the Krusader-devel mailing list. http://groups.google.com/group/krusader-devel/browse_thread/thread/a6a5d6ba219fe9ce/aff766e49430b91a#aff766e49430b91a Patch: ---------------------------------- --- popularurls.cpp 2005-04-08 00:09:04.000000000 +0200 +++ popularurls.cpp 2005-10-27 21:38:24.000000000 +0200 @@ -46,7 +46,7 @@ QValueList<int> rankList; UrlNodeP p = head; while (p) { - urlList << p->url.url(); + urlList << p->url.prettyURL(); rankList << p->rank; p = p->next; } @@ -69,7 +69,7 @@ QValueList<int>::Iterator rit; for (uit=urlList.begin(), rit=rankList.begin(); uit!=urlList.end() && rit!=rankList.end(); ++uit, ++rit) { UrlNodeP node = new UrlNode; - node->url = *uit; + node->url = KURL::fromPathOrURL( *uit ); node->rank = *rit; appendNode(node); ranks.insert(*uit, node); ---------------------------------- Sorry for any inconvenience. kind regards, Frank Schoolmeesters Krusader Krew http://www.krusader.org __________________________________ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
