[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: =?utf-8?q?=5Bkdelibs=5D_kioslave/http=3A_Show_a_security_warning?=
From: Dawit Alemayehu <adawit () kde ! org>
Date: 2011-05-26 5:00:32
Message-ID: 20110526050032.21020A60A4 () git ! kde ! org
[Download RAW message or body]
Git commit 3bbd4496bc8a01e80df61763bfd0347e8ba7f09a by Dawit Alemayehu.
Committed on 25/05/2011 at 19:58.
Pushed by adawit into branch 'master'.
Show a security warning when a URL includes a bogus username intended to fool
users into visiting sites they had no intention of visiting.
Note: new string.
BUG: 94867
FIXED-IN: 4.7.0
REVIEW: 101440
CCMAIL: kde-i18n-doc@kde.org
M +21 -0 kioslave/http/http.cpp
http://commits.kde.org/kdelibs/3bbd4496bc8a01e80df61763bfd0347e8ba7f09a
diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
index b937856..e14c8f6 100644
--- a/kioslave/http/http.cpp
+++ b/kioslave/http/http.cpp
@@ -66,6 +66,7 @@
#include <kstandarddirs.h>
#include <kremoteencoding.h>
#include <ktcpsocket.h>
+#include <kmessagebox.h>
#include <kio/ioslave_defaults.h>
#include <kio/http_slave_defaults.h>
@@ -4317,6 +4318,26 @@ void HTTPProtocol::slotData(const QByteArray &_d)
*/
bool HTTPProtocol::readBody( bool dataInternal /* = false */ )
{
+ // Security check against bogus username intended to fool the user into
+ // visiting a site they did not meant to.
+ if ((!m_request.url.user().isEmpty() && m_request.responseCode != 401) ||
+ (!m_request.proxyUrl.user().isEmpty() && m_request.responseCode != 407)) {
+ const int result = messageBox(WarningYesNo,
+ i18nc("@warning: Security check on url "
+ "being accessed", "You are about to "
+ "log in to the site \"%1\" with the "
+ "username \"%2\", but the website "
+ "does not require authentication. "
+ "This may be an attempt to trick you."
+ "<p>Is \"%1\" the site you want to visit?",
+ m_request.url.host(), m_request.url.user()),
+ i18nc("@title:window", "Confirm Website Access"));
+ if (result == KMessageBox::No) {
+ error(ERR_USER_CANCELED, m_request.url.url());
+ return false;
+ }
+ }
+
// special case for reading cached body since we also do it in this function. oh well.
if (!canHaveResponseBody(m_request.responseCode, m_request.method) &&
!(m_request.cacheTag.ioMode == ReadFromCache && m_request.responseCode == 304 &&
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic