[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Feedback wanted regarding prettyURL()
From:       Dirk Mueller <mueller () kde ! org>
Date:       2007-08-16 15:31:48
Message-ID: 200708161731.48452.mueller () kde ! org
[Download RAW message or body]

Hi, 

To avoid the latest announced url spoofing attacks in a general way, I 
suggested to shorten the username, to avoid that the user misinterprets the 
username actually as part of the hostname. 

this however breaks the url pretty badly: the username is not really valid 
anymore. on the other hand, its unlikely that there will be a very long 
username given, especially if no password has been added. 

Comments, opinions?

Thanks,
Dirk

["shorten-username.diff" (text/x-diff)]

Index: kurl.cpp
===================================================================
--- kurl.cpp	(revision 700783)
+++ kurl.cpp	(working copy)
@@ -30,6 +30,7 @@
 #include <kglobal.h>
 #include <kidna.h>
 #include <kprotocolinfo.h>
+#include <kstringhandler.h>
 #endif
 
 #include <stdio.h>
@@ -1540,7 +1541,13 @@ QString KURL::prettyURL( int _trailing )
     u += "//";
     if ( hasUser() )
     {
-      u += encode(m_strUser, 0, 0);
+      QString s = m_strUser;
+#ifndef KDE_QT_ONLY
+      // shorten the username, its unlikely to be valid without password anyway
+      if (!hasPass())
+          s = KStringHandler::csqueeze(s, 10);
+#endif
+      u += encode(s, 0, 0);
       // Don't show password!
       u += "@";
     }


[prev in list] [next in list] [prev in thread] [next in thread]