kde-frameworks/kdelibs: Fix information leak

Revision bump backports upstream patch to fix a information leak when accessing
https when using a malicious PAC file
https://www.kde.org/info/security/advisory-20170228-1.txt

Gentoo-bug: 611254

Package-Manager: Portage-2.3.3, Repoman-2.3.1

1 files changed, 34 insertions, 0 deletions

diff --git a/kde-frameworks/kdelibs/files/kdelibs-4.14.29-sanitize-url.patch b/kde-frameworks/kdelibs/files/kdelibs-4.14.29-sanitize-url.patch
new file mode 100644
index 000000000000..d063f8b598d8
--- /dev/null
+++ b/kde-frameworks/kdelibs/files/kdelibs-4.14.29-sanitize-url.patch
@@ -0,0 +1,34 @@
+commit 1804c2fde7bf4e432c6cf5bb8cce5701c7010559
+Author: Albert Astals Cid <aacid@kde.org>
+Date:   Tue Feb 28 19:08:50 2017 +0100
+
+    Sanitize URLs before passing them to FindProxyForURL
+    
+    Remove user/password information
+    For https: remove path and query
+    
+    Backport from kio f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
+
+diff --git a/kio/misc/kpac/script.cpp b/kio/misc/kpac/script.cpp
+index a595301307..9ab360a0b5 100644
+--- a/kio/misc/kpac/script.cpp
++++ b/kio/misc/kpac/script.cpp
+@@ -754,9 +754,16 @@ namespace KPAC
+             }
+         }
+ 
++        KUrl cleanUrl = url;
++        cleanUrl.setUserInfo(QString());
++        if (cleanUrl.scheme().toLower() == QLatin1String("https")) {
++            cleanUrl.setPath(QString());
++            cleanUrl.setQuery(QString());
++        }
++
+         QScriptValueList args;
+-        args << url.url();
+-        args << url.host();
++        args << cleanUrl.url();
++        args << cleanUrl.host();
+ 
+         QScriptValue result = func.call(QScriptValue(), args);
+         if (result.isError()) {