[Bug 1178286] Re: Security advisory from KDE upstream

Bug Watch Updater 1178286 at bugs.launchpad.net
Thu May 9 15:31:10 UTC 2013 

Launchpad has imported 9 comments from the remote bug at
https://bugs.kde.org/show_bug.cgi?id=319428.

If you reply to an imported comment from within Launchpad, your comment
will be sent to the remote bug automatically. Read more about
Launchpad's inter-bugtracker facilities at
https://help.launchpad.net/InterBugTracking.

------------------------------------------------------------------------
On 2013-05-06T20:06:29+00:00 M-wege wrote:

I just received a notification from the ressource which read "internal
server error" and the url
https://username:password@serveradress.com/remote.php.carddav...

I believe it is not a good idea to have a password in a notication.

Reproducible: Always

Reply at:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/0

------------------------------------------------------------------------
On 2013-05-07T14:02:45+00:00 Winter-s wrote:

somewhere a message is using url() rather than prettyUrl().

but so far I haven't had any luck finding where in the code.

maybe another set of eyes will have more luck.  should be an easy fix
once we find the offending text.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/1

------------------------------------------------------------------------
On 2013-05-07T17:10:42+00:00 Montel-3 wrote:

We need a screenshot or exact error message to find it.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/2

------------------------------------------------------------------------
On 2013-05-07T21:19:16+00:00 M-wege wrote:

Is there a way to provoke a connection error? It doesn't work when just
disconnecting the internet. The cause must have been on the server side,
so I will only see the message again, when I can fake a server error or
it happens again.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/3

------------------------------------------------------------------------
On 2013-05-08T20:01:57+00:00 Greg-xrvasas wrote:

I think this was introduced by 649a97d08771020a4e5151bbc041e82405f5841c,
at least that the only commit I can thin of that touched the error
messages. If true, there are some chances that the issue comes from KIO.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/4

------------------------------------------------------------------------
On 2013-05-08T20:14:48+00:00 Greg-xrvasas wrote:

Looks like the source is in kdelibs/kioslave/http/http.cpp:3059, where
url() is used instead of prettyUrl() as the error message.

Do you think this can go into kdelibs for 4.10.4?

Reply at:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/5

------------------------------------------------------------------------
On 2013-05-08T20:57:40+00:00 Winter-s wrote:

yes please.

looks like changing that line to use m_request.url.host() might be the
correct solution.

In fact, once this is fixed I'll send a note to the packages that they
might want to hotpatch their 4.10.3 releases.

Reply at:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/6

------------------------------------------------------------------------
On 2013-05-08T21:13:39+00:00 Greg-xrvasas wrote:

(In reply to comment #6)
> looks like changing that line to use m_request.url.host() might be the
> correct solution.

Having the full URL that triggered this error would help finding the
issue, so I'm not certain that just keeping the hostname would be
satisfying to most users. As for the usage of this string there's a new
line between 'Internal error in server' and the error text, which makes
mes doubt that %1 stands for the hostname in the full message.

Otherwise, looking around this line the m_request.url.url() is also used
in the same way (lines 3075 and 3077). I'll also replace those with
prettyUrl().

Reply at:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/7

------------------------------------------------------------------------
On 2013-05-08T21:38:57+00:00 Greg-xrvasas wrote:

Git commit 65d736dab592bced4410ccfa4699de89f78c96ca by Grégory Oestreicher.
Committed on 08/05/2013 at 23:16.
Pushed by goestreicher into branch 'KDE/4.10'.

Don't show passwords contained in HTTP URLs in error messages

M  +3    -3    kioslave/http/http.cpp

http://commits.kde.org/kdelibs/65d736dab592bced4410ccfa4699de89f78c96ca

Reply at:
https://bugs.launchpad.net/ubuntu/+source/kde4libs/+bug/1178286/comments/8


** Changed in: kdelibs
       Status: Unknown => Fix Released

** Changed in: kdelibs
   Importance: Unknown => Medium

-- 
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kde4libs in Ubuntu.
https://bugs.launchpad.net/bugs/1178286

Title:
  Security advisory from KDE upstream

To manage notifications about this bug go to:
https://bugs.launchpad.net/kdelibs/+bug/1178286/+subscriptions

More information about the kubuntu-bugs mailing list