TDE
/
tdelibs
mirror of https://mirror.git.trinitydesktop.org/gitea/TDE/tdelibs
0
0
Fork 0
Code Issues Releases Wiki Activity

Fix security issue when displaying certificate informations (CVE-2011-3365)

Browse Source
pull/16/head
Francois Andriot 12 years ago committed by Slávek Banko
parent 930498ce8a
commit a67a48107f
2 changed files with 38 additions and 8 deletions
Show Stats Download Patch File Download Diff File

21
tdeio/kssl/ksslinfodlg.cc
Unescape View File

@ -253,6 +253,14 @@ void KSSLInfoDlg::setup(KSSLCertificate *cert,
layout->addWidget(new TQLabel(i18n("%1 bits used of a %2 bit cipher").arg(usedbits).arg(bits), this), 10, 1); layout->addWidget(new TQLabel(i18n("%1 bits used of a %2 bit cipher").arg(usedbits).arg(bits), this), 10, 1);
d->m_layout->addMultiCell(layout, 2, 2, 0, 2); d->m_layout->addMultiCell(layout, 2, 2, 0, 2);
ipl->setTextFormat(TQt::PlainText);
urlLabel->setTextFormat(TQt::PlainText);
d->_serialNum->setTextFormat(TQt::PlainText);
d->_csl->setTextFormat(TQt::PlainText);
d->_validFrom->setTextFormat(TQt::PlainText);
d->_validUntil->setTextFormat(TQt::PlainText);
d->_digest->setTextFormat(TQt::PlainText);
displayCert(cert); displayCert(cert);
} }
@ -400,32 +408,32 @@ void KSSLCertBox::setValues(TQString certName, TQWidget *mailCatcher) {
if (!(tmp = cert.getValue("O")).isEmpty()) { if (!(tmp = cert.getValue("O")).isEmpty()) {
label = new TQLabel(i18n("Organization:"), _frame); label = new TQLabel(i18n("Organization:"), _frame);
label->setAlignment(Qt::AlignLeft | Qt::AlignTop); label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
new TQLabel(tmp, _frame); (new TQLabel(tmp, _frame))->setTextFormat(TQt::PlainText);
} }
if (!(tmp = cert.getValue("OU")).isEmpty()) { if (!(tmp = cert.getValue("OU")).isEmpty()) {
label = new TQLabel(i18n("Organizational unit:"), _frame); label = new TQLabel(i18n("Organizational unit:"), _frame);
label->setAlignment(Qt::AlignLeft | Qt::AlignTop); label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
new TQLabel(tmp, _frame); (new TQLabel(tmp, _frame))->setTextFormat(TQt::PlainText);
} }
if (!(tmp = cert.getValue("L")).isEmpty()) { if (!(tmp = cert.getValue("L")).isEmpty()) {
label = new TQLabel(i18n("Locality:"), _frame); label = new TQLabel(i18n("Locality:"), _frame);
label->setAlignment(Qt::AlignLeft | Qt::AlignTop); label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
new TQLabel(tmp, _frame); (new TQLabel(tmp, _frame))->setTextFormat(TQt::PlainText);
} }
if (!(tmp = cert.getValue("ST")).isEmpty()) { if (!(tmp = cert.getValue("ST")).isEmpty()) {
label = new TQLabel(i18n("Federal State","State:"), _frame); label = new TQLabel(i18n("Federal State","State:"), _frame);
label->setAlignment(Qt::AlignLeft | Qt::AlignTop); label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
new TQLabel(tmp, _frame); (new TQLabel(tmp, _frame))->setTextFormat(TQt::PlainText);
} }
if (!(tmp = cert.getValue("C")).isEmpty()) { if (!(tmp = cert.getValue("C")).isEmpty()) {
label = new TQLabel(i18n("Country:"), _frame); label = new TQLabel(i18n("Country:"), _frame);
label->setAlignment(Qt::AlignLeft | Qt::AlignTop); label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
new TQLabel(tmp, _frame); (new TQLabel(tmp, _frame))->setTextFormat(TQt::PlainText);
} }
if (!(tmp = cert.getValue("CN")).isEmpty()) { if (!(tmp = cert.getValue("CN")).isEmpty()) {
label = new TQLabel(i18n("Common name:"), _frame); label = new TQLabel(i18n("Common name:"), _frame);
label->setAlignment(Qt::AlignLeft | Qt::AlignTop); label->setAlignment(Qt::AlignLeft | Qt::AlignTop);
new TQLabel(tmp, _frame); (new TQLabel(tmp, _frame))->setTextFormat(TQt::PlainText);
} }
if (!(tmp = cert.getValue("Email")).isEmpty()) { if (!(tmp = cert.getValue("Email")).isEmpty()) {
label = new TQLabel(i18n("Email:"), _frame); label = new TQLabel(i18n("Email:"), _frame);
@ -435,6 +443,7 @@ void KSSLCertBox::setValues(TQString certName, TQWidget *mailCatcher) {
connect(mail, TQT_SIGNAL(leftClickedURL(const TQString &)), mailCatcher, TQT_SLOT(mailClicked(const TQString &))); connect(mail, TQT_SIGNAL(leftClickedURL(const TQString &)), mailCatcher, TQT_SLOT(mailClicked(const TQString &)));
} else { } else {
label = new TQLabel(tmp, _frame); label = new TQLabel(tmp, _frame);
label->setTextFormat(TQt::PlainText);
} }
} }
if (label && viewport()) { if (label && viewport()) {

25
tdeioslave/http/http.cc
Unescape View File

@ -184,6 +184,27 @@ static TQString sanitizeCustomHTTPHeader(const TQString& _header)
return sanitizedHeaders.stripWhiteSpace(); return sanitizedHeaders.stripWhiteSpace();
} }
static TQString htmlEscape(const TQString &plain)
{
TQString rich;
rich.reserve(uint(plain.length() * 1.1));
for (uint i = 0; i < plain.length(); ++i) {
if (plain.at(i) == '<') {
rich += "&lt;";
} else if (plain.at(i) == '>') {
rich += "&gt;";
} else if (plain.at(i) == '&') {
rich += "&amp;";
} else if (plain.at(i) == '"') {
rich += "&quot;";
} else {
rich += plain.at(i);
}
}
rich.squeeze();
return rich;
}
#define NO_SIZE ((TDEIO::filesize_t) -1) #define NO_SIZE ((TDEIO::filesize_t) -1)
@ -5186,7 +5207,7 @@ void HTTPProtocol::promptInfo( AuthInfo& info )
info.verifyPath = false; info.verifyPath = false;
info.digestInfo = m_strAuthorization; info.digestInfo = m_strAuthorization;
info.commentLabel = i18n( "Site:" ); info.commentLabel = i18n( "Site:" );
info.comment = i18n("<b>%1</b> at <b>%2</b>").arg( m_strRealm ).arg( m_request.hostname ); info.comment = i18n("<b>%1</b> at <b>%2</b>").arg( htmlEscape(m_strRealm) ).arg( m_request.hostname );
} }
} }
else if ( m_responseCode == 407 ) else if ( m_responseCode == 407 )
@ -5203,7 +5224,7 @@ void HTTPProtocol::promptInfo( AuthInfo& info )
info.verifyPath = false; info.verifyPath = false;
info.digestInfo = m_strProxyAuthorization; info.digestInfo = m_strProxyAuthorization;
info.commentLabel = i18n( "Proxy:" ); info.commentLabel = i18n( "Proxy:" );
info.comment = i18n("<b>%1</b> at <b>%2</b>").arg( m_strProxyRealm ).arg( m_proxyURL.host() ); info.comment = i18n("<b>%1</b> at <b>%2</b>").arg( htmlEscape(m_strProxyRealm) ).arg( m_proxyURL.host() );
} }
} }
} }

Write Preview
Loading…
Cancel
Save