'Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!
From:       Kevin Kofler <kevin.kofler () chello ! at>
Date:       2014-10-17 0:53:25
Message-ID: m1ppa7$4dk$1 () ger ! gmane ! org
[Download RAW message or body]

Hi,

just a small public service announcement: The correct replacement for:
url.prettyUrl()
in Qt 5 is NOT:
url.toString() // BAD!
but:
url.toString(QUrl::RemovePassword)

The old KUrl::prettyUrl() always removed passwords. You DON'T want to show 
passwords in user output:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074

(I found this reviewing the initial port of Kompare.)

Thanks for reading,
        Kevin Kofler

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic