Re: Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!
url.toDisplayString() should be equivalent to call url.toString(QUrl::RemovePassword) Andrea
Re: Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!
url.toDisplayString() should be equivalent to call url.toString(QUrl::RemovePassword) Andrea
Re: Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!
I wrote: just a small public service announcement: The correct replacement for: url.prettyUrl() in Qt 5 is NOT: url.toString() // BAD! but: url.toString(QUrl::RemovePassword) or, even better: url.toDisplayString() as pointed out by Andrea Iacovitti. (I guess his message is pending moderation.) Kevin Kofler
Re: Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!
I personally think QUrl should remove the password by default when converting to string and force caller of the API to explicitly request the inclusion of the password say by changing the modifier option to a QUrl::IncludePassword. It is better to be safer out of the box. On Thu, Oct 16, 2014 at 8:53 PM, Kevin Kofler kevin.kof...@chello.at wrote: Hi, just a small public service announcement: The correct replacement for: url.prettyUrl() in Qt 5 is NOT: url.toString() // BAD! but: url.toString(QUrl::RemovePassword) The old KUrl::prettyUrl() always removed passwords. You DON'T want to show passwords in user output: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074 (I found this reviewing the initial port of Kompare.) Thanks for reading, Kevin Kofler
