Fwd: [kdelibs/KDE/4.10] kioslave/http: Don't show passwords contained in HTTP URLs in error messages

Allen Winter winter at kde.org
Thu May 9 10:29:08 UTC 2013 

On Thursday, May 09, 2013 06:06:58 AM Johannes Huber wrote:
> Am Mittwoch, 8. Mai 2013, 19:50:03 schrieb Allen Winter:
> > Packagers,
> > 
> > You might consider hot-patching your kdelibs with this.
> > The code that conceivably might display a user password has been in kdelibs
> > since 2009-07-08 Probably means whatever kdelibs 4.x you are shipping needs
> > this fix.
> > 
> > 
> > ----------  Forwarded Message  ----------
> > 
> > Subject: [kdelibs/KDE/4.10] kioslave/http: Don't show passwords contained in
> > HTTP URLs in error messages Date: Wednesday, May 08, 2013, 11:38:51 PM
> > From: Grégory Oestreicher <greg at kamago.net>
> > To: kde-commits at kde.org
> > 
> > Git commit 65d736dab592bced4410ccfa4699de89f78c96ca by Grégory Oestreicher.
> > Committed on 08/05/2013 at 23:16.
> > Pushed by goestreicher into branch 'KDE/4.10'.
> > 
> > Don't show passwords contained in HTTP URLs in error messages
> > BUG: 319428
> > 
> > M  +3    -3    kioslave/http/http.cpp
> > 
> > http://commits.kde.org/kdelibs/65d736dab592bced4410ccfa4699de89f78c96ca
> > 
> > diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
> > index 2d139a9..129fc7b 100644
> > --- a/kioslave/http/http.cpp
> > +++ b/kioslave/http/http.cpp
> > @@ -3056,7 +3056,7 @@ try_again:
> >              ; // Ignore error
> >          } else {
> >              if (!sendErrorPageNotification()) {
> > -                error(ERR_INTERNAL_SERVER, m_request.url.url());
> > +                error(ERR_INTERNAL_SERVER, m_request.url.prettyUrl());
> >                  return false;
> >              }
> >          }
> > @@ -3072,9 +3072,9 @@ try_again:
> >          // Tell that we will only get an error page here.
> >          if (!sendErrorPageNotification()) {
> >              if (m_request.responseCode == 403)
> > -                error(ERR_ACCESS_DENIED, m_request.url.url());
> > +                error(ERR_ACCESS_DENIED, m_request.url.prettyUrl());
> >              else
> > -                error(ERR_DOES_NOT_EXIST, m_request.url.url());
> > +                error(ERR_DOES_NOT_EXIST, m_request.url.prettyUrl());
> >              return false;
> >          }
> >      } else if (m_request.responseCode >= 301 && m_request.responseCode<=
> > 303) {
> > 
> > -----------------------------------------
> > _______________________________________________
> > Kde-packager mailing list
> > Kde-packager at kde.org
> > https://mail.kde.org/mailman/listinfo/kde-packager
> 
> Hello Allen,
> 
> thanks for the patch. Is there an CVE for this issue?
> 
No.  This came about from a normal user bug report 319428 we saw in kdepim a couple days ago.

-Allen

More information about the release-team mailing list