File 0002-Don-t-convert-as-url-an-url-which-has-a.patch of Package kcoreaddons

Overview Repositories Revisions Requests Users Attributes Meta

File 0002-Don-t-convert-as-url-an-url-which-has-a.patch of Package kcoreaddons

From 95d1e2b15456a9af50cd80c925e1471a9646e50d Mon Sep 17 00:00:00 2001
From: Montel Laurent <montel@kde.org>
Date: Fri, 30 Sep 2016 13:21:45 +0200
Subject: [PATCH 2/2] Don't convert as url an url which has a "

(cherry picked from commit 96e562d9138c100498da38e4c5b4091a226dde12)
---
 autotests/ktexttohtmltest.cpp |  6 ++++++
 src/lib/text/ktexttohtml.cpp  | 25 +++++++++++++++++++------
 src/lib/text/ktexttohtml_p.h  |  2 +-
 3 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/autotests/ktexttohtmltest.cpp b/autotests/ktexttohtmltest.cpp
index 8fc0c56..c5690e8 100644
--- a/autotests/ktexttohtmltest.cpp
+++ b/autotests/ktexttohtmltest.cpp
@@ -386,6 +386,12 @@ void KTextToHTMLTest::testHtmlConvert_data()
    QTest::newRow("url-with-url") << "foo <http://www.kde.org/ <http://www.kde.org/>>"
                                << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
                                << "foo &lt;<a href=\"http://www.kde.org/ \">http://www.kde.org/ </a>&lt;<a href=\"http://www.kde.org/\">http://www.kde.org/</a>&gt;&gt;";
+
+   //Fix url exploit
+   QTest::newRow("url-exec-html") << "https://\"><!--"
+                               << KTextToHTML::Options(KTextToHTML::PreserveSpaces)
+                               << "https://\"><!--";
+
 }
 
 
diff --git a/src/lib/text/ktexttohtml.cpp b/src/lib/text/ktexttohtml.cpp
index b181f56..09b2483 100644
--- a/src/lib/text/ktexttohtml.cpp
+++ b/src/lib/text/ktexttohtml.cpp
@@ -156,7 +156,6 @@ bool KTextToHTMLHelper::atUrl()
              (allowedSpecialChars.indexOf(mText[mPos - 1]) != -1))) {
         return false;
     }
-
     QChar ch = mText[mPos];
     return
         (ch == QLatin1Char('h') && (mText.mid(mPos, 7) == QLatin1String("http://") ||
@@ -192,7 +191,7 @@ bool KTextToHTMLHelper::isEmptyUrl(const QString &url)
            url == QLatin1String("news://");
 }
 
-QString KTextToHTMLHelper::getUrl()
+QString KTextToHTMLHelper::getUrl(bool *badurl)
 {
     QString url;
     if (atUrl()) {
@@ -229,6 +228,7 @@ QString KTextToHTMLHelper::getUrl()
         url.reserve(mMaxUrlLen);    // avoid allocs
         int start = mPos;
         bool previousCharIsSpace = false;
+        bool previousCharIsADoubleQuote = false;
         while ((mPos < mText.length()) &&
                 (mText[mPos].isPrint() || mText[mPos].isSpace()) &&
                 ((afterUrl.isNull() && !mText[mPos].isSpace()) ||
@@ -241,6 +241,18 @@ QString KTextToHTMLHelper::getUrl()
                     break;
                 }
                 previousCharIsSpace = false;
+                if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
+                    //it's an invalid url
+                    if (badurl) {
+                        *badurl = true;
+                    }
+                    return QString();
+                }
+                if (mText[mPos] == QLatin1Char('"')) {
+                    previousCharIsADoubleQuote = true;
+                } else {
+                    previousCharIsADoubleQuote = false;
+                }
                 url.append(mText[mPos]);
                 if (url.length() > mMaxUrlLen) {
                     break;
@@ -341,7 +353,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
     QChar ch;
     int x;
     bool startOfLine = true;
-    //qDebug()<<" plainText"<<plainText;
 
     for (helper.mPos = 0, x = 0; helper.mPos < helper.mText.length();
             ++helper.mPos, ++x) {
@@ -409,8 +420,11 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
         } else {
             const int start = helper.mPos;
             if (!(flags & IgnoreUrls)) {
-                str = helper.getUrl();
-                //qDebug()<<" str"<<str;
+                bool badUrl = false;
+                str = helper.getUrl(&badUrl);
+                if (badUrl) {
+                    return helper.mText;
+                }
                 if (!str.isEmpty()) {
                     QString hyperlink;
                     if (str.left(4) == QLatin1String("www.")) {
@@ -464,7 +478,6 @@ QString KTextToHTML::convertToHtml(const QString &plainText, const KTextToHTML::
 
         result = helper.emoticonsInterface()->parseEmoticons(result, true, exclude);
     }
-    //qDebug()<<" result "<<result;
 
     return result;
 }
diff --git a/src/lib/text/ktexttohtml_p.h b/src/lib/text/ktexttohtml_p.h
index 74ad7a0..fc43613 100644
--- a/src/lib/text/ktexttohtml_p.h
+++ b/src/lib/text/ktexttohtml_p.h
@@ -49,7 +49,7 @@ public:
     QString getEmailAddress();
     bool atUrl();
     bool isEmptyUrl(const QString &url);
-    QString getUrl();
+    QString getUrl(bool *badurl = Q_NULLPTR);
     QString pngToDataUrl(const QString &pngPath);
     QString highlightedText();
 
-- 
2.10.0

Places

File 0002-Don-t-convert-as-url-an-url-which-has-a.patch of Package kcoreaddons

Places