Hello community, here is the log from the commit of package kcoreaddons for openSUSE:Factory checked in at 2016-10-18 09:56:30 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/kcoreaddons (Old) and /work/SRC/openSUSE:Factory/.kcoreaddons.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "kcoreaddons" Changes: -------- --- /work/SRC/openSUSE:Factory/kcoreaddons/kcoreaddons.changes 2016-09-14 23:15:58.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.kcoreaddons.new/kcoreaddons.changes 2016-10-18 09:56:31.000000000 +0200 @@ -1,0 +2,6 @@ +Thu Oct 6 18:00:21 UTC 2016 - [email protected] + +- Added 0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch + 0002-Don-t-convert-as-url-an-url-which-has-a.patch (CVE-2016-7966) + +------------------------------------------------------------------- New: ---- 0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch 0002-Don-t-convert-as-url-an-url-which-has-a.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ kcoreaddons.spec ++++++ --- /var/tmp/diff_new_pack.3BsR2r/_old 2016-10-18 09:56:32.000000000 +0200 +++ /var/tmp/diff_new_pack.3BsR2r/_new 2016-10-18 09:56:32.000000000 +0200 @@ -40,6 +40,10 @@ Group: System/GUI/KDE Url: http://www.kde.org Source: http://download.kde.org/stable/frameworks/%{_tar_path}/%{name}-%{version}.tar.xz +# PATCH-FIX-UPSTREAM 0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch +Patch0: 0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch +# PATCH-FIX-UPSTREAM 0002-Don-t-convert-as-url-an-url-which-has-a.patch +Patch1: 0002-Don-t-convert-as-url-an-url-which-has-a.patch Source1: baselibs.conf BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -78,6 +82,8 @@ %lang_package %prep %setup -q +%patch0 -p1 +%patch1 -p1 %build %cmake_kf5 -d build -- -Dlconvert_executable=%{_kf5_libdir}/qt5/bin/lconvert -DKDE4_DEFAULT_HOME=".kde4" ++++++ 0001-Fix-very-old-bug-when-we-remove-space-in-url-as-foo-.patch ++++++ >From 5d661f9c1e384402814f4488881059ef79a0f0c8 Mon Sep 17 00:00:00 2001 From: Montel Laurent <[email protected]> Date: Wed, 21 Sep 2016 07:24:30 +0200 Subject: [PATCH 1/2] Fix very old bug when we remove space in url as "foo <<url> <url>>" (cherry picked from commit 1be7272373d60e4234f1a5584e676b579302b053) --- autotests/ktexttohtmltest.cpp | 14 ++++++++++++++ src/lib/text/ktexttohtml.cpp | 14 ++++++++++++-- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp index 474f0ca..8fc0c56 100644 --- a/autotests/ktexttohtmltest.cpp +++ b/autotests/ktexttohtmltest.cpp @@ -30,6 +30,15 @@ QTEST_MAIN(KTextToHTMLTest) Q_DECLARE_METATYPE(KTextToHTML::Options) +#ifndef Q_OS_WIN +void initLocale() +{ + setenv("LC_ALL", "en_US.utf-8", 1); +} +Q_CONSTRUCTOR_FUNCTION(initLocale) +#endif + + void KTextToHTMLTest::testGetEmailAddress() { // empty input @@ -372,6 +381,11 @@ void KTextToHTMLTest::testHtmlConvert_data() QTest::newRow("url-in-parenthesis-3") << "bla (http://www.kde.org - section 5.2)" << KTextToHTML::Options(KTextToHTML::PreserveSpaces) << "bla (<a href=\"http://www.kde.org\";>http://www.kde.org</a> - section 5.2)"; + + // Fix url as foo <<url> <url>> when we concatened them. + QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" + << KTextToHTML::Options(KTextToHTML::PreserveSpaces) + << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\";>http://www.kde.org/</a>>>"; } diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp index 8ed923d..b181f56 100644 --- a/src/lib/text/ktexttohtml.cpp +++ b/src/lib/text/ktexttohtml.cpp @@ -228,11 +228,19 @@ QString KTextToHTMLHelper::getUrl() url.reserve(mMaxUrlLen); // avoid allocs int start = mPos; + bool previousCharIsSpace = false; while ((mPos < mText.length()) && (mText[mPos].isPrint() || mText[mPos].isSpace()) && ((afterUrl.isNull() && !mText[mPos].isSpace()) || (!afterUrl.isNull() && mText[mPos] != afterUrl))) { - if (!mText[mPos].isSpace()) { // skip whitespace + if (mText[mPos].isSpace()) { + previousCharIsSpace = true; + } else { // skip whitespace + if (previousCharIsSpace && mText[mPos] == QLatin1Char('<')) { + url.append(QLatin1Char(' ')); + break; + } + previousCharIsSpace = false; url.append(mText[mPos]); if (url.length() > mMaxUrlLen) { break; @@ -267,7 +275,6 @@ QString KTextToHTMLHelper::getUrl() } } while (url.length() > 1); } - return url; } @@ -334,6 +341,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: QChar ch; int x; bool startOfLine = true; + //qDebug()<<" plainText"<<plainText; for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length(); ++helper.mPos, ++x) { @@ -402,6 +410,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: const int start = helper.mPos; if (!(flags & IgnoreUrls)) { str = helper.getUrl(); + //qDebug()<<" str"<<str; if (!str.isEmpty()) { QString hyperlink; if (str.left(4) == QLatin1String("www.")) { @@ -455,6 +464,7 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude); } + //qDebug()<<" result "<<result; return result; } -- 2.10.0 ++++++ 0002-Don-t-convert-as-url-an-url-which-has-a.patch ++++++ >From 95d1e2b15456a9af50cd80c925e1471a9646e50d Mon Sep 17 00:00:00 2001 From: Montel Laurent <[email protected]> Date: Fri, 30 Sep 2016 13:21:45 +0200 Subject: [PATCH 2/2] Don't convert as url an url which has a " (cherry picked from commit 96e562d9138c100498da38e4c5b4091a226dde12) --- autotests/ktexttohtmltest.cpp | 6 ++++++ src/lib/text/ktexttohtml.cpp | 25 +++++++++++++++++++------ src/lib/text/ktexttohtml_p.h | 2 +- 3 files changed, 26 insertions(+), 7 deletions(-) diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp index 8fc0c56..c5690e8 100644 --- a/autotests/ktexttohtmltest.cpp +++ b/autotests/ktexttohtmltest.cpp @@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_data() QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>" << KTextToHTML::Options(KTextToHTML::PreserveSpaces) << "foo <<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a><<a href=\"http://www.kde.org/\";>http://www.kde.org/</a>>>"; + + //Fix url exploit + QTest::newRow("url-exec-html") << "https://\";><!--" + << KTextToHTML::Options(KTextToHTML::PreserveSpaces) + << "https://\";><!--"; + } diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp index b181f56..09b2483 100644 --- a/src/lib/text/ktexttohtml.cpp +++ b/src/lib/text/ktexttohtml.cpp @@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl() (allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) { return false; } - QChar ch = mText[mPos]; return (ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://";) || @@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const QString &url) url == QLatin1String("news://";); } -QString KTextToHTMLHelper::getUrl() +QString KTextToHTMLHelper::getUrl(bool *badurl) { QString url; if (atUrl()) { @@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl() url.reserve(mMaxUrlLen); // avoid allocs int start = mPos; bool previousCharIsSpace = false; + bool previousCharIsADoubleQuote = false; while ((mPos < mText.length()) && (mText[mPos].isPrint() || mText[mPos].isSpace()) && ((afterUrl.isNull() && !mText[mPos].isSpace()) || @@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl() break; } previousCharIsSpace = false; + if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) { + //it's an invalid url + if (badurl) { + *badurl = true; + } + return QString(); + } + if (mText[mPos] == QLatin1Char('"')) { + previousCharIsADoubleQuote = true; + } else { + previousCharIsADoubleQuote = false; + } url.append(mText[mPos]); if (url.length() > mMaxUrlLen) { break; @@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: QChar ch; int x; bool startOfLine = true; - //qDebug()<<" plainText"<<plainText; for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length(); ++helper.mPos, ++x) { @@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: } else { const int start = helper.mPos; if (!(flags & IgnoreUrls)) { - str = helper.getUrl(); - //qDebug()<<" str"<<str; + bool badUrl = false; + str = helper.getUrl(&badUrl); + if (badUrl) { + return helper.mText; + } if (!str.isEmpty()) { QString hyperlink; if (str.left(4) == QLatin1String("www.")) { @@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML:: result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude); } - //qDebug()<<" result "<<result; return result; } diff --git a/src/lib/text/ktexttohtml_p.h b/src/lib/text/ktexttohtml_p.h index 74ad7a0..fc43613 100644 --- a/src/lib/text/ktexttohtml_p.h +++ b/src/lib/text/ktexttohtml_p.h @@ -49,7 +49,7 @@ public: QString getEmailAddress(); bool atUrl(); bool isEmptyUrl(const QString &url); - QString getUrl(); + QString getUrl(bool *badurl = Q_NULLPTR); QString pngToDataUrl(const QString &pngPath); QString highlightedText(); -- 2.10.0
