Missing URI scheme validation (CVE-2021-28117)

Forwarded: not-needed

Validate to only turn https(s)-links into clickable links.

Gbp-Pq: Name https_only_links.patch

diff --git a/libdiscover/backends/KNSBackend/KNSResource.cpp b/libdiscover/backends/KNSBackend/KNSResource.cpp
index e43b2e48d52b5107ac8a9c1259d26c02123d5529..0ba8803296154ba90978a10073ba3c0917c3ad7c 100644 (file)
--- a/libdiscover/backends/KNSBackend/KNSResource.cpp
+++ b/libdiscover/backends/KNSBackend/KNSResource.cpp
@@ -87,7 +87,7 @@ QString KNSResource::longDescription()
     ret.remove(QRegularExpression(QStringLiteral("\\[\\/?[a-z]*\\]")));
     // Find anything that looks like a link (but which also is not some html
     // tag value or another already) and make it a link
-    static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)([-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption);
+    static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)(http[-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption);
     ret.replace(urlRegExp, QStringLiteral("<a href=\"\\2\">\\2</a>"));
     return ret;
 }