[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-commits
Subject: =?utf-8?q?=5Bkdelibs=5D_kioslave/http=3A_Avoid_prompting_the_use?=
From: Dawit Alemayehu <adawit () kde ! org>
Date: 2011-06-18 18:55:38
Message-ID: 20110618185538.34D9FA60A6 () git ! kde ! org
[Download RAW message or body]
Git commit dd7b1c02d21eb10918127b672ff410abd6f437c5 by Dawit Alemayehu.
Committed on 18/06/2011 at 20:19.
Pushed by adawit into branch 'master'.
Avoid prompting the user with the address spoofing protection warning for each
and every resource retreived from a single web site.
M +31 -20 kioslave/http/http.cpp
http://commits.kde.org/kdelibs/dd7b1c02d21eb10918127b672ff410abd6f437c5
diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
index 46d2a01..cf63616 100644
--- a/kioslave/http/http.cpp
+++ b/kioslave/http/http.cpp
@@ -192,6 +192,16 @@ static QString sanitizeCustomHTTPHeader(const QString& _header)
return sanitizedHeaders;
}
+static bool isPotentialSpoofingAttack(const HTTPProtocol::HTTPRequest& request, \
const KConfigGroup* config) +{
+ // kDebug(7113) << request.url << "response code: " << request.responseCode << \
"previous response code:" << request.prevResponseCode; + if \
(!request.url.user().isEmpty()) { + const QString userName = \
config->readEntry(QLatin1String("LastSpoofedUserName"), QString()); + return \
((userName.isEmpty() || userName != request.url.user()) && request.responseCode != \
401 && request.prevResponseCode != 401); + }
+ return false;
+}
+
// for a given response code, conclude if the response is going to/likely to have a \
response body static bool canHaveResponseBody(int responseCode, KIO::HTTP_METHOD \
method) {
@@ -2891,6 +2901,27 @@ try_again:
// immediately act on most response codes...
+ // Protect users against bogus username intended to fool them into visiting
+ // sites they had no intention of visiting.
+ if (isPotentialSpoofingAttack(m_request, config())) {
+ // kDebug(7113) << "**** POTENTIAL ADDRESS SPOOFING:" << m_request.url;
+ const int result = messageBox(WarningYesNo,
+ i18nc("@warning: Security check on url "
+ "being accessed", "You are about to "
+ "log in to the site \"%1\" with the "
+ "username \"%2\", but the website "
+ "does not require authentication. "
+ "This may be an attempt to trick you."
+ "<p>Is \"%1\" the site you want to \
visit?", + m_request.url.host(), \
m_request.url.user()), + i18nc("@title:window", \
"Confirm Website Access")); + if (result == KMessageBox::No) {
+ error(ERR_USER_CANCELED, m_request.url.url());
+ return false;
+ }
+ setMetaData(QLatin1String("{internal~currenthost}LastSpoofedUserName"), \
m_request.url.user()); + }
+
if (m_request.responseCode != 200 && m_request.responseCode != 304) {
m_request.cacheTag.ioMode = NoCache;
}
@@ -4328,26 +4359,6 @@ void HTTPProtocol::slotData(const QByteArray &_d)
*/
bool HTTPProtocol::readBody( bool dataInternal /* = false */ )
{
- // Security check against bogus username intended to fool the user into
- // visiting a site they did not meant to.
- if ((!m_request.url.user().isEmpty() && m_request.prevResponseCode != 401 && \
m_request.responseCode != 401) ||
- (!m_request.proxyUrl.user().isEmpty() && m_request.prevResponseCode != 407 && \
m_request.responseCode != 407)) {
- const int result = messageBox(WarningYesNo,
- i18nc("@warning: Security check on url "
- "being accessed", "You are about to "
- "log in to the site \"%1\" with the "
- "username \"%2\", but the website "
- "does not require authentication. "
- "This may be an attempt to trick you."
- "<p>Is \"%1\" the site you want to \
visit?",
- m_request.url.host(), \
m_request.url.user()),
- i18nc("@title:window", "Confirm Website \
Access"));
- if (result == KMessageBox::No) {
- error(ERR_USER_CANCELED, m_request.url.url());
- return false;
- }
- }
-
// special case for reading cached body since we also do it in this function. oh \
well. if (!canHaveResponseBody(m_request.responseCode, m_request.method) &&
!(m_request.cacheTag.ioMode == ReadFromCache && m_request.responseCode == 304 \
&&
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic