Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!

Kevin Kofler kevin.kofler at chello.at
Fri Oct 17 01:53:25 BST 2014


Hi,

just a small public service announcement: The correct replacement for:
url.prettyUrl()
in Qt 5 is NOT:
url.toString() // BAD!
but:
url.toString(QUrl::RemovePassword)

The old KUrl::prettyUrl() always removed passwords. You DON'T want to show 
passwords in user output:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074

(I found this reviewing the initial port of Kompare.)

Thanks for reading,
        Kevin Kofler





More information about the kde-core-devel mailing list