[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-core-devel
Subject: Feedback wanted regarding prettyURL()
From: Dirk Mueller <mueller () kde ! org>
Date: 2007-08-16 15:31:48
Message-ID: 200708161731.48452.mueller () kde ! org
[Download RAW message or body]
Hi,
To avoid the latest announced url spoofing attacks in a general way, I
suggested to shorten the username, to avoid that the user misinterprets the
username actually as part of the hostname.
this however breaks the url pretty badly: the username is not really valid
anymore. on the other hand, its unlikely that there will be a very long
username given, especially if no password has been added.
Comments, opinions?
Thanks,
Dirk
["shorten-username.diff" (text/x-diff)]
Index: kurl.cpp
===================================================================
--- kurl.cpp (revision 700783)
+++ kurl.cpp (working copy)
@@ -30,6 +30,7 @@
#include <kglobal.h>
#include <kidna.h>
#include <kprotocolinfo.h>
+#include <kstringhandler.h>
#endif
#include <stdio.h>
@@ -1540,7 +1541,13 @@ QString KURL::prettyURL( int _trailing )
u += "//";
if ( hasUser() )
{
- u += encode(m_strUser, 0, 0);
+ QString s = m_strUser;
+#ifndef KDE_QT_ONLY
+ // shorten the username, its unlikely to be valid without password anyway
+ if (!hasPass())
+ s = KStringHandler::csqueeze(s, 10);
+#endif
+ u += encode(s, 0, 0);
// Don't show password!
u += "@";
}
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic