'=?utf-8?q?=5Bkdelibs=5D_kioslave/http=3A_Show_a_security_warning?='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    =?utf-8?q?=5Bkdelibs=5D_kioslave/http=3A_Show_a_security_warning?=
From:       Dawit Alemayehu <adawit () kde ! org>
Date:       2011-05-26 5:00:32
Message-ID: 20110526050032.21020A60A4 () git ! kde ! org
[Download RAW message or body]

Git commit 3bbd4496bc8a01e80df61763bfd0347e8ba7f09a by Dawit Alemayehu.
Committed on 25/05/2011 at 19:58.
Pushed by adawit into branch 'master'.

Show a security warning when a URL includes a bogus username intended to fool
users into visiting sites they had no intention of visiting.

Note: new string.

BUG: 94867
FIXED-IN: 4.7.0
REVIEW: 101440
CCMAIL: kde-i18n-doc@kde.org

M  +21   -0    kioslave/http/http.cpp     

http://commits.kde.org/kdelibs/3bbd4496bc8a01e80df61763bfd0347e8ba7f09a

diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
index b937856..e14c8f6 100644
--- a/kioslave/http/http.cpp
+++ b/kioslave/http/http.cpp
@@ -66,6 +66,7 @@
 #include <kstandarddirs.h>
 #include <kremoteencoding.h>
 #include <ktcpsocket.h>
+#include <kmessagebox.h>
 
 #include <kio/ioslave_defaults.h>
 #include <kio/http_slave_defaults.h>
@@ -4317,6 +4318,26 @@ void HTTPProtocol::slotData(const QByteArray &_d)
  */
 bool HTTPProtocol::readBody( bool dataInternal /* = false */ )
 {
+  // Security check against bogus username intended to fool the user into
+  // visiting a site they did not meant to.
+  if ((!m_request.url.user().isEmpty() && m_request.responseCode != 401) ||
+      (!m_request.proxyUrl.user().isEmpty() && m_request.responseCode != 407)) {
+      const int result = messageBox(WarningYesNo,
+                                    i18nc("@warning: Security check on url "
+                                          "being accessed", "You are about to "
+                                          "log in to the site \"%1\" with the "
+                                          "username \"%2\", but the website "
+                                          "does not require authentication. "
+                                          "This may be an attempt to trick you."
+                                          "<p>Is \"%1\" the site you want to visit?",
+                                          m_request.url.host(), m_request.url.user()),
+                                    i18nc("@title:window", "Confirm Website Access"));
+      if (result == KMessageBox::No) {
+        error(ERR_USER_CANCELED, m_request.url.url());
+        return false;
+      }
+  }
+
   // special case for reading cached body since we also do it in this function. oh well.
   if (!canHaveResponseBody(m_request.responseCode, m_request.method) &&
       !(m_request.cacheTag.ioMode == ReadFromCache && m_request.responseCode == 304 &&

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic