From 2007fd8225c4e089c572ead5a62b699639e9d839 Mon Sep 17 00:00:00 2001
From: Albert Astals Cid <aacid@kde.org>
Date: Tue, 28 Feb 2017 19:00:48 +0100
Subject: [PATCH] Sanitize URLs before passing them to FindProxyForURL

Remove user/password information
For https: remove path and query

Thanks to safebreach.com for reporting the problem

CCMAIL: yoni.fridburg@safebreach.com
CCMAIL: amit.klein@safebreach.com
CCMAIL: itzik.kotler@safebreach.com

Gbp-Pq: Name Sanitize-URLs-before-passing-them-to-FindProxyForURL.patch
---
 src/kpac/script.cpp | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/kpac/script.cpp b/src/kpac/script.cpp
index b009bc9..916f647 100644
--- a/src/kpac/script.cpp
+++ b/src/kpac/script.cpp
@@ -754,9 +754,16 @@ QString Script::evaluate(const QUrl &url)
         }
     }
 
+    QUrl cleanUrl = url;
+    cleanUrl.setUserInfo(QString());
+    if (cleanUrl.scheme() == QLatin1String("https")) {
+        cleanUrl.setPath(QString());
+        cleanUrl.setQuery(QString());
+    }
+
     QScriptValueList args;
-    args << url.url();
-    args << url.host();
+    args << cleanUrl.url();
+    args << cleanUrl.host();
 
     QScriptValue result = func.call(QScriptValue(), args);
     if (result.isError()) {
-- 
2.30.2