commit f9d0cb47cf94e209f6171ac0e8d774e68156a6e4
Author: Albert Astals Cid <aacid@kde.org>
Date:   Tue Feb 28 19:00:48 2017 +0100

    Sanitize URLs before passing them to FindProxyForURL
    
    Remove user/password information
    For https: remove path and query
    
    Thanks to safebreach.com for reporting the problem
    
    CCMAIL: yoni.fridburg@safebreach.com
    CCMAIL: amit.klein@safebreach.com
    CCMAIL: itzik.kotler@safebreach.com

diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
index a0235f73..2485c54d 100644
--- a/src/kpac/script.cpp
+++ b/src/kpac/script.cpp
@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
         }
     }
 
+    QUrl cleanUrl = url;
+    cleanUrl.setUserInfo(QString());
+    if (cleanUrl.scheme() == QLatin1String("https")) {
+        cleanUrl.setPath(QString());
+        cleanUrl.setQuery(QString());
+    }
+
     QScriptValueList args;
-    args << url.url();
-    args << url.host();
+    args << cleanUrl.url();
+    args << cleanUrl.host();
 
     QScriptValue result = func.call(QScriptValue(), args);
     if (result.isError()) {