From kde-core-devel  Fri Oct 17 04:04:26 2014
From: Dawit A <adawit () kde ! org>
Date: Fri, 17 Oct 2014 04:04:26 +0000
To: kde-core-devel
Subject: Re: Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!
Message-Id: <CALa28R5xwUDruMmY6n8u_fq4ZqqEB26JkmwAMtQ810aP+yhP-g () mail ! gmail ! com>
X-MARC-Message: https://marc.info/?l=kde-core-devel&m=141351873703849
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--001a1133c8a0755e780505967876"

--001a1133c8a0755e780505967876
Content-Type: text/plain; charset=UTF-8

I personally think QUrl should remove the password by default when
converting to string and force caller of the API to explicitly request the
inclusion of the password say by changing the modifier option to a
QUrl::IncludePassword. It is better to be safer out of the box.

On Thu, Oct 16, 2014 at 8:53 PM, Kevin Kofler <kevin.kofler@chello.at>
wrote:

> Hi,
>
> just a small public service announcement: The correct replacement for:
> url.prettyUrl()
> in Qt 5 is NOT:
> url.toString() // BAD!
> but:
> url.toString(QUrl::RemovePassword)
>
> The old KUrl::prettyUrl() always removed passwords. You DON'T want to show
> passwords in user output:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074
>
> (I found this reviewing the initial port of Kompare.)
>
> Thanks for reading,
>         Kevin Kofler
>
>

--001a1133c8a0755e780505967876
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">I personally think QUrl should remove the password=C2=A0by=
 default when converting to string and force=C2=A0caller of the API to expl=
icitly request the inclusion of the password say by changing the modifier o=
ption to a QUrl::IncludePassword. It is better to be safer out of the box.<=
/div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">On Thu, Oct =
16, 2014 at 8:53 PM, Kevin Kofler <span dir=3D"ltr">&lt;<a href=3D"mailto:k=
evin.kofler@chello.at" target=3D"_blank">kevin.kofler@chello.at</a>&gt;</sp=
an> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;=
border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
just a small public service announcement: The correct replacement for:<br>
url.prettyUrl()<br>
in Qt 5 is NOT:<br>
url.toString() // BAD!<br>
but:<br>
url.toString(QUrl::RemovePassword)<br>
<br>
The old KUrl::prettyUrl() always removed passwords. You DON&#39;T want to s=
how<br>
passwords in user output:<br>
<a href=3D"http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2013-2074" t=
arget=3D"_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2013-2=
074</a><br>
<br>
(I found this reviewing the initial port of Kompare.)<br>
<br>
Thanks for reading,<br>
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Kevin Kofler<br>
<br>
</blockquote></div><br></div>

--001a1133c8a0755e780505967876--