Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!
Kevin Kofler
kevin.kofler at chello.at
Fri Oct 17 01:53:25 BST 2014
Hi,
just a small public service announcement: The correct replacement for:
url.prettyUrl()
in Qt 5 is NOT:
url.toString() // BAD!
but:
url.toString(QUrl::RemovePassword)
The old KUrl::prettyUrl() always removed passwords. You DON'T want to show
passwords in user output:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074
(I found this reviewing the initial port of Kompare.)
Thanks for reading,
Kevin Kofler
More information about the kde-core-devel
mailing list