commit kio for openSUSE:Factory

root Fri, 03 Mar 2017 08:31:21 -0800

Hello community,

here is the log from the commit of package kio for openSUSE:Factory checked in 
at 2017-03-03 17:30:57
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/kio (Old)
 and      /work/SRC/openSUSE:Factory/.kio.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "kio"

Fri Mar  3 17:30:57 2017 rev:43 rq:461718 version:5.31.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/kio/kio.changes  2017-02-03 17:45:15.376539096 
+0100
+++ /work/SRC/openSUSE:Factory/.kio.new/kio.changes     2017-03-03 
17:30:59.207995820 +0100
@@ -1,0 +2,13 @@
+Wed Mar  1 21:02:49 UTC 2017 - [email protected]
+
+- Add patch to fix security issue with proxy configuration (boo#1027520)
+  * sanitize-url-for-proxy.patch
+
+-------------------------------------------------------------------
+Thu Feb  9 09:30:01 UTC 2017 - [email protected]
+
+- Update to 5.31.0
+  * For more details please see:
+    https://www.kde.org/announcements/kde-frameworks-5.31.0.php
+
+-------------------------------------------------------------------

Old:
----
  kio-5.30.0.tar.xz

New:
----
  kio-5.31.0.tar.xz
  sanitize-url-for-proxy.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ kio.spec ++++++
--- /var/tmp/diff_new_pack.zIlUPE/_old  2017-03-03 17:31:00.579801998 +0100
+++ /var/tmp/diff_new_pack.zIlUPE/_new  2017-03-03 17:31:00.583801433 +0100
@@ -17,9 +17,9 @@
 
 
 %bcond_without lang
-%define _tar_path 5.30
+%define _tar_path 5.31
 Name:           kio
-Version:        5.30.0
+Version:        5.31.0
 Release:        0
 %define kf5_version %{version}
 BuildRequires:  cmake >= 3.0
@@ -49,15 +49,15 @@
 BuildRequires:  libacl-devel
 BuildRequires:  libattr-devel
 BuildRequires:  solid-devel >= %{_tar_path}
-BuildRequires:  cmake(Qt5Concurrent) >= 5.5.0
-BuildRequires:  cmake(Qt5Core) >= 5.5.0
-BuildRequires:  cmake(Qt5DBus) >= 5.5.0
-BuildRequires:  cmake(Qt5Network) >= 5.5.0
-BuildRequires:  cmake(Qt5Script) >= 5.5.0
-BuildRequires:  cmake(Qt5Test) >= 5.5.0
-BuildRequires:  cmake(Qt5Widgets) >= 5.5.0
-BuildRequires:  cmake(Qt5X11Extras) >= 5.5.0
-BuildRequires:  cmake(Qt5Xml) >= 5.5.0
+BuildRequires:  cmake(Qt5Concurrent) >= 5.6.0
+BuildRequires:  cmake(Qt5Core) >= 5.6.0
+BuildRequires:  cmake(Qt5DBus) >= 5.6.0
+BuildRequires:  cmake(Qt5Network) >= 5.6.0
+BuildRequires:  cmake(Qt5Script) >= 5.6.0
+BuildRequires:  cmake(Qt5Test) >= 5.6.0
+BuildRequires:  cmake(Qt5Widgets) >= 5.6.0
+BuildRequires:  cmake(Qt5X11Extras) >= 5.6.0
+BuildRequires:  cmake(Qt5Xml) >= 5.6.0
 BuildRequires:  pkgconfig(openssl)
 BuildRequires:  pkgconfig(x11)
 Requires:       %{name}-core = %{version}
@@ -75,6 +75,8 @@
 Source1:        baselibs.conf
 # PATCH-FIX-OPENSUSE kio_help-fallback-to-kde4-docs.patch -- allow kio_help to 
see into kde4 documentation, needed especially for khelpcenter5
 Patch0:         kio_help-fallback-to-kde4-docs.patch
+# PATCH-FIX-UPSTREAM sanitize-url-for-proxy.patch
+Patch1:         sanitize-url-for-proxy.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -84,8 +86,8 @@
 
 %package core
 Summary:        Network transparent access to files and data
-Group:          System/GUI/KDE
 # core subpackage created with 5.9.0
+Group:          System/GUI/KDE
 Conflicts:      kio <= 5.8.0
 
 %description core
@@ -109,7 +111,7 @@
 Requires:       kservice-devel >= %{_tar_path}
 Requires:       kxmlgui-devel >= %{_tar_path}
 Requires:       solid-devel >= %{_tar_path}
-Requires:       cmake(Qt5Network) >= 5.5.0
+Requires:       cmake(Qt5Network) >= 5.6.0
 
 %description devel
 This framework implements almost all the file management functions you
@@ -121,6 +123,7 @@
 %prep
 %setup -q
 %patch0 -p1
+%patch1 -p1
 
 %build
   %cmake_kf5 -d build

++++++ kio-5.30.0.tar.xz -> kio-5.31.0.tar.xz ++++++
++++ 35620 lines of diff (skipped)

++++++ sanitize-url-for-proxy.patch ++++++
>From f9d0cb47cf94e209f6171ac0e8d774e68156a6e4 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <[email protected]>
Date: Tue, 28 Feb 2017 19:00:48 +0100
Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL

Remove user/password information
For https: remove path and query

Thanks to safebreach.com for reporting the problem

CCMAIL: [email protected]
CCMAIL: [email protected]
CCMAIL: [email protected]
---
 src/kpac/script.cpp | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
index a0235f7..2485c54 100644
--- a/src/kpac/script.cpp
+++ b/src/kpac/script.cpp
@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
         }
     }
 
+    QUrl cleanUrl = url;
+    cleanUrl.setUserInfo(QString());
+    if (cleanUrl.scheme() == QLatin1String("https")) {
+        cleanUrl.setPath(QString());
+        cleanUrl.setQuery(QString());
+    }
+
     QScriptValueList args;
-    args << url.url();
-    args << url.host();
+    args << cleanUrl.url();
+    args << cleanUrl.host();
 
     QScriptValue result = func.call(QScriptValue(), args);
     if (result.isError()) {

commit kio for openSUSE:Factory

Reply via email to