From: Debian Qt/KDE Maintainers Date: Wed, 10 Mar 2021 22:53:46 +0000 (+0000) Subject: Missing URI scheme validation (CVE-2021-28117) X-Git-Tag: archive/raspbian/5.26.90-1+rpi1~1^2^2~1 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=388080ebb15983114e26f7b37d84fe864f0cc7de;p=plasma-discover.git Missing URI scheme validation (CVE-2021-28117) Forwarded: not-needed Validate to only turn https(s)-links into clickable links. Gbp-Pq: Name https_only_links.patch --- diff --git a/libdiscover/backends/KNSBackend/KNSResource.cpp b/libdiscover/backends/KNSBackend/KNSResource.cpp index e43b2e4..0ba8803 100644 --- a/libdiscover/backends/KNSBackend/KNSResource.cpp +++ b/libdiscover/backends/KNSBackend/KNSResource.cpp @@ -87,7 +87,7 @@ QString KNSResource::longDescription() ret.remove(QRegularExpression(QStringLiteral("\\[\\/?[a-z]*\\]"))); // Find anything that looks like a link (but which also is not some html // tag value or another already) and make it a link - static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)([-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption); + static const QRegularExpression urlRegExp(QStringLiteral("(^|\\s)(http[-a-zA-Z0-9@:%_\\+.~#?&//=]{2,256}\\.[a-z]{2,4}\\b(\\/[-a-zA-Z0-9@:;%_\\+.~#?&//=]*)?)"), QRegularExpression::CaseInsensitiveOption); ret.replace(urlRegExp, QStringLiteral("\\2")); return ret; }