'=?utf-8?q?=5Bkdelibs=5D_kioslave/http=3A_Avoid_prompting_the_use?='

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    =?utf-8?q?=5Bkdelibs=5D_kioslave/http=3A_Avoid_prompting_the_use?=
From:       Dawit Alemayehu <adawit () kde ! org>
Date:       2011-06-18 18:55:38
Message-ID: 20110618185538.34D9FA60A6 () git ! kde ! org
[Download RAW message or body]

Git commit dd7b1c02d21eb10918127b672ff410abd6f437c5 by Dawit Alemayehu.
Committed on 18/06/2011 at 20:19.
Pushed by adawit into branch 'master'.

Avoid prompting the user with the address spoofing protection warning for each
and every resource retreived from a single web site.

M  +31   -20   kioslave/http/http.cpp     

http://commits.kde.org/kdelibs/dd7b1c02d21eb10918127b672ff410abd6f437c5

diff --git a/kioslave/http/http.cpp b/kioslave/http/http.cpp
index 46d2a01..cf63616 100644
--- a/kioslave/http/http.cpp
+++ b/kioslave/http/http.cpp
@@ -192,6 +192,16 @@ static QString sanitizeCustomHTTPHeader(const QString& _header)
   return sanitizedHeaders;
 }
 
+static bool isPotentialSpoofingAttack(const HTTPProtocol::HTTPRequest& request, \
const KConfigGroup* config) +{
+    // kDebug(7113) << request.url << "response code: " << request.responseCode << \
"previous response code:" << request.prevResponseCode; +    if \
(!request.url.user().isEmpty()) { +        const QString userName = \
config->readEntry(QLatin1String("LastSpoofedUserName"), QString()); +        return \
((userName.isEmpty() || userName != request.url.user()) && request.responseCode != \
401 && request.prevResponseCode != 401); +    }
+    return false;
+}
+
 // for a given response code, conclude if the response is going to/likely to have a \
response body  static bool canHaveResponseBody(int responseCode, KIO::HTTP_METHOD \
method)  {
@@ -2891,6 +2901,27 @@ try_again:
 
     // immediately act on most response codes...
 
+    // Protect users against bogus username intended to fool them into visiting
+    // sites they had no intention of visiting.
+    if (isPotentialSpoofingAttack(m_request, config())) {
+        // kDebug(7113) << "**** POTENTIAL ADDRESS SPOOFING:" << m_request.url;
+        const int result = messageBox(WarningYesNo,
+                                      i18nc("@warning: Security check on url "
+                                            "being accessed", "You are about to "
+                                            "log in to the site \"%1\" with the "
+                                            "username \"%2\", but the website "
+                                            "does not require authentication. "
+                                            "This may be an attempt to trick you."
+                                            "<p>Is \"%1\" the site you want to \
visit?", +                                            m_request.url.host(), \
m_request.url.user()), +                                      i18nc("@title:window", \
"Confirm Website Access")); +        if (result == KMessageBox::No) {
+            error(ERR_USER_CANCELED, m_request.url.url());
+            return false;
+        }
+        setMetaData(QLatin1String("{internal~currenthost}LastSpoofedUserName"), \
m_request.url.user()); +    }
+
     if (m_request.responseCode != 200 && m_request.responseCode != 304) {
         m_request.cacheTag.ioMode = NoCache;
     }
@@ -4328,26 +4359,6 @@ void HTTPProtocol::slotData(const QByteArray &_d)
  */
 bool HTTPProtocol::readBody( bool dataInternal /* = false */ )
 {
-  // Security check against bogus username intended to fool the user into
-  // visiting a site they did not meant to.
-  if ((!m_request.url.user().isEmpty() && m_request.prevResponseCode != 401 && \
                m_request.responseCode != 401) ||
-      (!m_request.proxyUrl.user().isEmpty() && m_request.prevResponseCode != 407 && \
                m_request.responseCode != 407)) {
-      const int result = messageBox(WarningYesNo,
-                                    i18nc("@warning: Security check on url "
-                                          "being accessed", "You are about to "
-                                          "log in to the site \"%1\" with the "
-                                          "username \"%2\", but the website "
-                                          "does not require authentication. "
-                                          "This may be an attempt to trick you."
-                                          "<p>Is \"%1\" the site you want to \
                visit?",
-                                          m_request.url.host(), \
                m_request.url.user()),
-                                    i18nc("@title:window", "Confirm Website \
                Access"));
-      if (result == KMessageBox::No) {
-        error(ERR_USER_CANCELED, m_request.url.url());
-        return false;
-      }
-  }
-
   // special case for reading cached body since we also do it in this function. oh \
well.  if (!canHaveResponseBody(m_request.responseCode, m_request.method) &&
       !(m_request.cacheTag.ioMode == ReadFromCache && m_request.responseCode == 304 \
&&


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic