PATCH: kdelibs/kdecore/kstringhandler.cpp tagURLs() method

Stephan Hermann sh at kde-coder.de
Thu Jul 11 06:48:38 BST 2002 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Marc,

On Wednesday 10 July 2002 19:56, Marc Mutz wrote:
> On Wednesday 10 July 2002 09:57, Scott Wheeler wrote:
> > -    /*static*/ QRegExp
> > urlEx("(www\\.|(f|ht)tp(|s)://)[\\d\\w./,:_~\\?=&;#-]+[\\d\\w/]"); -
> > +    QRegExp
> > urlEx("(www\\.|ftp\\.|(f|ht)tp(|s):\\/\\/)[\\d\\w.\\/\\,\\:\\_\\~\\?\
> >\=\\&\\;\\#\\-]+[\\d\\w\\/]");
>
> This inflation of LTS[1] is not needed, IMO.

;) 

> Also, for speed, the parentheses (foo) should be written as the
> non-capturing (and very much faster) version (?:foo). The use of cap(1)
> can be replaced with something like href.beginsWith( "www." ) and
> href.beginsWith( "ftp." ).

Is it not the same ? When I use QRegExp::cap() to determine the beginning of 
hostname, or when I use non-capturing parantheses to look ahead and then to 
ask via "if()" and QString Methods ?
I need to have a look with gprof in this case.


> There is a "format string vulnerability" in that if href contains "%1"
> or "%0" (not unlikely for an URL), then the second .arg() will place
> the href wrongly, obviously. That's something you always have to keep
> in mind when using QString::arg() and user-supplied text: multiple
> .arg() calls can be tricked into replacing the wrong stuff! Will send
> something to qt-bugs regarding this.

Well, that is true. (Trolltechs Implementation mistake ;)) The only safe way 
is to escape those placeholders, e.g. before you use the QString::arg() 
method, you have to do something like this: 
QString::replace(QRegExp("%\\d"),"");
(the empty string is a little bit to hard ;))

> And a nitpick: QString hrefProtocol shouldn't get "" assigned to.

Old programmers style :(

After all, I'm searching for a better URL regexp with increased speed.
But after all, please check the old version of KStringHandler::tagURLs, you 
can found the same format string vulnerability.

Regards,

\sh


- -- 
St. Hermann, Troisdorf
One solution for a simple problem: A7 B4 C2 D5 E8 F1 G3 H6
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9LRw6V8AnusWiV6wRAnVIAJ96vrzerVy/J+8V8UKMhC+vXSJPCgCeJfM4
nhs0sLpvEcyRE0SXcgCVPrc=
=1jFu
-----END PGP SIGNATURE-----

More information about the kde-core-devel mailing list