'Re: Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Porting KUrl::prettyUrl: please do not reintroduce CVE-2013-2074!
From:       Dawit A <adawit () kde ! org>
Date:       2014-10-17 4:04:26
Message-ID: CALa28R5xwUDruMmY6n8u_fq4ZqqEB26JkmwAMtQ810aP+yhP-g () mail ! gmail ! com
[Download RAW message or body]

I personally think QUrl should remove the password by default when
converting to string and force caller of the API to explicitly request the
inclusion of the password say by changing the modifier option to a
QUrl::IncludePassword. It is better to be safer out of the box.

On Thu, Oct 16, 2014 at 8:53 PM, Kevin Kofler <kevin.kofler@chello.at>
wrote:

> Hi,
>
> just a small public service announcement: The correct replacement for:
> url.prettyUrl()
> in Qt 5 is NOT:
> url.toString() // BAD!
> but:
> url.toString(QUrl::RemovePassword)
>
> The old KUrl::prettyUrl() always removed passwords. You DON'T want to show
> passwords in user output:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074
>
> (I found this reviewing the initial port of Kompare.)
>
> Thanks for reading,
>         Kevin Kofler
>
>

[Attachment #3 (text/html)]

<div dir="ltr">I personally think QUrl should remove the password  by default when \
converting to string and force  caller of the API to explicitly request the inclusion \
of the password say by changing the modifier option to a QUrl::IncludePassword. It is \
better to be safer out of the box.</div><div class="gmail_extra"><br><div \
class="gmail_quote">On Thu, Oct 16, 2014 at 8:53 PM, Kevin Kofler <span \
dir="ltr">&lt;<a href="mailto:kevin.kofler@chello.at" \
target="_blank">kevin.kofler@chello.at</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hi,<br> <br>
just a small public service announcement: The correct replacement for:<br>
url.prettyUrl()<br>
in Qt 5 is NOT:<br>
url.toString() // BAD!<br>
but:<br>
url.toString(QUrl::RemovePassword)<br>
<br>
The old KUrl::prettyUrl() always removed passwords. You DON&#39;T want to show<br>
passwords in user output:<br>
<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074" \
target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2074</a><br> \
<br> (I found this reviewing the initial port of Kompare.)<br>
<br>
Thanks for reading,<br>
            Kevin Kofler<br>
<br>
</blockquote></div><br></div>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic