Fix Konqueror address bar spoofing attack vulnerability.

Security: CVE-2007-4224, CVE-2007-4224, CVE-2007-3820 Security: http://www.kde.org/info/security/advisory-20070816-1.txt
author: Michael Nottebrock <lofi@FreeBSD.org> 2007-08-19 15:36:01 +0000
committer: Michael Nottebrock <lofi@FreeBSD.org> 2007-08-19 15:36:01 +0000
commit: c6accc698631cb9331e64b9f3d19810d6834078a (patch)
tree: 0c6e8ede112436d08fbaf2f0018ba90362de4c5d /x11
parent: Update to the 20070815 snapshot of GCC 4.2.2. (diff)
18 files changed, 474 insertions, 9 deletions
diff --git a/x11/kde4-baseapps/Makefile b/x11/kde4-baseapps/Makefile
index 322f991ba7f2..42bda78adb66 100644
--- a/x11/kde4-baseapps/Makefile
+++ b/x11/kde4-baseapps/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdebase
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kde4-baseapps/files/patch-post-3.5.7-kdebase-konqueror.diff b/x11/kde4-baseapps/files/patch-post-3.5.7-kdebase-konqueror.diff
new file mode 100644
index 000000000000..0d6e44ef4f82
--- /dev/null
+++ b/x11/kde4-baseapps/files/patch-post-3.5.7-kdebase-konqueror.diff
@@ -0,0 +1,49 @@
+--- konqueror/konq_combo.cc
++++ konqueror/konq_combo.cc
+@@ -158,6 +158,9 @@ void KonqCombo::setURL( const QString& u
+         kapp->dcopClient()->send( "konqueror*", "KonquerorIface",
+                                   "addToCombo(QString,QCString)", data);
+     }
++    // important security consideration: always display the beginning
++    // of the url rather than its end to prevent spoofing attempts.
++    lineEdit()->setCursorPosition( 0 );
+ }
+ 
+ void KonqCombo::setTemporary( const QString& text )
+--- konqueror/konq_mainwindow.cc
++++ konqueror/konq_mainwindow.cc
+@@ -611,12 +611,11 @@ void KonqMainWindow::openURL( KonqView *
+   }
+   else // no known serviceType, use KonqRun
+   {
+-      if ( ( view && view == m_currentView ) ||
+-              ( !view && !req.newTab ) ) // startup with argument
++      if ( ( !view || view->url().isEmpty() ) && !req.newTab ) // startup with argument
+       {
+           // Show it for now in the location bar, but we'll need to store it in the view
+           // later on (can't do it yet since either view == 0 or updateHistoryEntry will be called).
+-          kdDebug(1202) << "setLocationBarURL : url = " << url << endl;
++          kdDebug(1202) << "setLocationBarURL (startup) : url = " << url << endl;
+           setLocationBarURL( url );
+       }
+ 
+@@ -819,8 +818,6 @@ bool KonqMainWindow::openView( QString s
+         if ( childView )
+         {
+             enableAllActions( true );
+-
+-            m_pViewManager->setActivePart( childView->part() );
+             m_currentView = childView;
+         }
+       }
+--- konqueror/konq_viewmgr.cc
++++ konqueror/konq_viewmgr.cc
+@@ -1395,6 +1395,8 @@ void KonqViewManager::slotActivePartChan
+ 
+ void KonqViewManager::emitActivePartChanged()
+ {
++    // prevent unnecessary multiple calls to slotPartActivated:
++    m_activePartChangedTimer->stop();
+     m_pMainWindow->slotPartActivated( activePart() );
+ }
+ 
diff --git a/x11/kde4-runtime/Makefile b/x11/kde4-runtime/Makefile
index 322f991ba7f2..42bda78adb66 100644
--- a/x11/kde4-runtime/Makefile
+++ b/x11/kde4-runtime/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdebase
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kde4-runtime/files/patch-post-3.5.7-kdebase-konqueror.diff b/x11/kde4-runtime/files/patch-post-3.5.7-kdebase-konqueror.diff
new file mode 100644
index 000000000000..0d6e44ef4f82
--- /dev/null
+++ b/x11/kde4-runtime/files/patch-post-3.5.7-kdebase-konqueror.diff
@@ -0,0 +1,49 @@
+--- konqueror/konq_combo.cc
++++ konqueror/konq_combo.cc
+@@ -158,6 +158,9 @@ void KonqCombo::setURL( const QString& u
+         kapp->dcopClient()->send( "konqueror*", "KonquerorIface",
+                                   "addToCombo(QString,QCString)", data);
+     }
++    // important security consideration: always display the beginning
++    // of the url rather than its end to prevent spoofing attempts.
++    lineEdit()->setCursorPosition( 0 );
+ }
+ 
+ void KonqCombo::setTemporary( const QString& text )
+--- konqueror/konq_mainwindow.cc
++++ konqueror/konq_mainwindow.cc
+@@ -611,12 +611,11 @@ void KonqMainWindow::openURL( KonqView *
+   }
+   else // no known serviceType, use KonqRun
+   {
+-      if ( ( view && view == m_currentView ) ||
+-              ( !view && !req.newTab ) ) // startup with argument
++      if ( ( !view || view->url().isEmpty() ) && !req.newTab ) // startup with argument
+       {
+           // Show it for now in the location bar, but we'll need to store it in the view
+           // later on (can't do it yet since either view == 0 or updateHistoryEntry will be called).
+-          kdDebug(1202) << "setLocationBarURL : url = " << url << endl;
++          kdDebug(1202) << "setLocationBarURL (startup) : url = " << url << endl;
+           setLocationBarURL( url );
+       }
+ 
+@@ -819,8 +818,6 @@ bool KonqMainWindow::openView( QString s
+         if ( childView )
+         {
+             enableAllActions( true );
+-
+-            m_pViewManager->setActivePart( childView->part() );
+             m_currentView = childView;
+         }
+       }
+--- konqueror/konq_viewmgr.cc
++++ konqueror/konq_viewmgr.cc
+@@ -1395,6 +1395,8 @@ void KonqViewManager::slotActivePartChan
+ 
+ void KonqViewManager::emitActivePartChanged()
+ {
++    // prevent unnecessary multiple calls to slotPartActivated:
++    m_activePartChangedTimer->stop();
+     m_pMainWindow->slotPartActivated( activePart() );
+ }
+ 
diff --git a/x11/kde4-workspace/Makefile b/x11/kde4-workspace/Makefile
index 322f991ba7f2..42bda78adb66 100644
--- a/x11/kde4-workspace/Makefile
+++ b/x11/kde4-workspace/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdebase
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kde4-workspace/files/patch-post-3.5.7-kdebase-konqueror.diff b/x11/kde4-workspace/files/patch-post-3.5.7-kdebase-konqueror.diff
new file mode 100644
index 000000000000..0d6e44ef4f82
--- /dev/null
+++ b/x11/kde4-workspace/files/patch-post-3.5.7-kdebase-konqueror.diff
@@ -0,0 +1,49 @@
+--- konqueror/konq_combo.cc
++++ konqueror/konq_combo.cc
+@@ -158,6 +158,9 @@ void KonqCombo::setURL( const QString& u
+         kapp->dcopClient()->send( "konqueror*", "KonquerorIface",
+                                   "addToCombo(QString,QCString)", data);
+     }
++    // important security consideration: always display the beginning
++    // of the url rather than its end to prevent spoofing attempts.
++    lineEdit()->setCursorPosition( 0 );
+ }
+ 
+ void KonqCombo::setTemporary( const QString& text )
+--- konqueror/konq_mainwindow.cc
++++ konqueror/konq_mainwindow.cc
+@@ -611,12 +611,11 @@ void KonqMainWindow::openURL( KonqView *
+   }
+   else // no known serviceType, use KonqRun
+   {
+-      if ( ( view && view == m_currentView ) ||
+-              ( !view && !req.newTab ) ) // startup with argument
++      if ( ( !view || view->url().isEmpty() ) && !req.newTab ) // startup with argument
+       {
+           // Show it for now in the location bar, but we'll need to store it in the view
+           // later on (can't do it yet since either view == 0 or updateHistoryEntry will be called).
+-          kdDebug(1202) << "setLocationBarURL : url = " << url << endl;
++          kdDebug(1202) << "setLocationBarURL (startup) : url = " << url << endl;
+           setLocationBarURL( url );
+       }
+ 
+@@ -819,8 +818,6 @@ bool KonqMainWindow::openView( QString s
+         if ( childView )
+         {
+             enableAllActions( true );
+-
+-            m_pViewManager->setActivePart( childView->part() );
+             m_currentView = childView;
+         }
+       }
+--- konqueror/konq_viewmgr.cc
++++ konqueror/konq_viewmgr.cc
+@@ -1395,6 +1395,8 @@ void KonqViewManager::slotActivePartChan
+ 
+ void KonqViewManager::emitActivePartChanged()
+ {
++    // prevent unnecessary multiple calls to slotPartActivated:
++    m_activePartChangedTimer->stop();
+     m_pMainWindow->slotPartActivated( activePart() );
+ }
+ 
diff --git a/x11/kdebase3/Makefile b/x11/kdebase3/Makefile
index 322f991ba7f2..42bda78adb66 100644
--- a/x11/kdebase3/Makefile
+++ b/x11/kdebase3/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdebase
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdebase3/files/patch-post-3.5.7-kdebase-konqueror.diff b/x11/kdebase3/files/patch-post-3.5.7-kdebase-konqueror.diff
new file mode 100644
index 000000000000..0d6e44ef4f82
--- /dev/null
+++ b/x11/kdebase3/files/patch-post-3.5.7-kdebase-konqueror.diff
@@ -0,0 +1,49 @@
+--- konqueror/konq_combo.cc
++++ konqueror/konq_combo.cc
+@@ -158,6 +158,9 @@ void KonqCombo::setURL( const QString& u
+         kapp->dcopClient()->send( "konqueror*", "KonquerorIface",
+                                   "addToCombo(QString,QCString)", data);
+     }
++    // important security consideration: always display the beginning
++    // of the url rather than its end to prevent spoofing attempts.
++    lineEdit()->setCursorPosition( 0 );
+ }
+ 
+ void KonqCombo::setTemporary( const QString& text )
+--- konqueror/konq_mainwindow.cc
++++ konqueror/konq_mainwindow.cc
+@@ -611,12 +611,11 @@ void KonqMainWindow::openURL( KonqView *
+   }
+   else // no known serviceType, use KonqRun
+   {
+-      if ( ( view && view == m_currentView ) ||
+-              ( !view && !req.newTab ) ) // startup with argument
++      if ( ( !view || view->url().isEmpty() ) && !req.newTab ) // startup with argument
+       {
+           // Show it for now in the location bar, but we'll need to store it in the view
+           // later on (can't do it yet since either view == 0 or updateHistoryEntry will be called).
+-          kdDebug(1202) << "setLocationBarURL : url = " << url << endl;
++          kdDebug(1202) << "setLocationBarURL (startup) : url = " << url << endl;
+           setLocationBarURL( url );
+       }
+ 
+@@ -819,8 +818,6 @@ bool KonqMainWindow::openView( QString s
+         if ( childView )
+         {
+             enableAllActions( true );
+-
+-            m_pViewManager->setActivePart( childView->part() );
+             m_currentView = childView;
+         }
+       }
+--- konqueror/konq_viewmgr.cc
++++ konqueror/konq_viewmgr.cc
+@@ -1395,6 +1395,8 @@ void KonqViewManager::slotActivePartChan
+ 
+ void KonqViewManager::emitActivePartChanged()
+ {
++    // prevent unnecessary multiple calls to slotPartActivated:
++    m_activePartChangedTimer->stop();
+     m_pMainWindow->slotPartActivated( activePart() );
+ }
+ 
diff --git a/x11/kdebase4-runtime/Makefile b/x11/kdebase4-runtime/Makefile
index 322f991ba7f2..42bda78adb66 100644
--- a/x11/kdebase4-runtime/Makefile
+++ b/x11/kdebase4-runtime/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdebase
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdebase4-runtime/files/patch-post-3.5.7-kdebase-konqueror.diff b/x11/kdebase4-runtime/files/patch-post-3.5.7-kdebase-konqueror.diff
new file mode 100644
index 000000000000..0d6e44ef4f82
--- /dev/null
+++ b/x11/kdebase4-runtime/files/patch-post-3.5.7-kdebase-konqueror.diff
@@ -0,0 +1,49 @@
+--- konqueror/konq_combo.cc
++++ konqueror/konq_combo.cc
+@@ -158,6 +158,9 @@ void KonqCombo::setURL( const QString& u
+         kapp->dcopClient()->send( "konqueror*", "KonquerorIface",
+                                   "addToCombo(QString,QCString)", data);
+     }
++    // important security consideration: always display the beginning
++    // of the url rather than its end to prevent spoofing attempts.
++    lineEdit()->setCursorPosition( 0 );
+ }
+ 
+ void KonqCombo::setTemporary( const QString& text )
+--- konqueror/konq_mainwindow.cc
++++ konqueror/konq_mainwindow.cc
+@@ -611,12 +611,11 @@ void KonqMainWindow::openURL( KonqView *
+   }
+   else // no known serviceType, use KonqRun
+   {
+-      if ( ( view && view == m_currentView ) ||
+-              ( !view && !req.newTab ) ) // startup with argument
++      if ( ( !view || view->url().isEmpty() ) && !req.newTab ) // startup with argument
+       {
+           // Show it for now in the location bar, but we'll need to store it in the view
+           // later on (can't do it yet since either view == 0 or updateHistoryEntry will be called).
+-          kdDebug(1202) << "setLocationBarURL : url = " << url << endl;
++          kdDebug(1202) << "setLocationBarURL (startup) : url = " << url << endl;
+           setLocationBarURL( url );
+       }
+ 
+@@ -819,8 +818,6 @@ bool KonqMainWindow::openView( QString s
+         if ( childView )
+         {
+             enableAllActions( true );
+-
+-            m_pViewManager->setActivePart( childView->part() );
+             m_currentView = childView;
+         }
+       }
+--- konqueror/konq_viewmgr.cc
++++ konqueror/konq_viewmgr.cc
+@@ -1395,6 +1395,8 @@ void KonqViewManager::slotActivePartChan
+ 
+ void KonqViewManager::emitActivePartChanged()
+ {
++    // prevent unnecessary multiple calls to slotPartActivated:
++    m_activePartChangedTimer->stop();
+     m_pMainWindow->slotPartActivated( activePart() );
+ }
+ 
diff --git a/x11/kdebase4-workspace/Makefile b/x11/kdebase4-workspace/Makefile
index 322f991ba7f2..42bda78adb66 100644
--- a/x11/kdebase4-workspace/Makefile
+++ b/x11/kdebase4-workspace/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdebase
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdebase4-workspace/files/patch-post-3.5.7-kdebase-konqueror.diff b/x11/kdebase4-workspace/files/patch-post-3.5.7-kdebase-konqueror.diff
new file mode 100644
index 000000000000..0d6e44ef4f82
--- /dev/null
+++ b/x11/kdebase4-workspace/files/patch-post-3.5.7-kdebase-konqueror.diff
@@ -0,0 +1,49 @@
+--- konqueror/konq_combo.cc
++++ konqueror/konq_combo.cc
+@@ -158,6 +158,9 @@ void KonqCombo::setURL( const QString& u
+         kapp->dcopClient()->send( "konqueror*", "KonquerorIface",
+                                   "addToCombo(QString,QCString)", data);
+     }
++    // important security consideration: always display the beginning
++    // of the url rather than its end to prevent spoofing attempts.
++    lineEdit()->setCursorPosition( 0 );
+ }
+ 
+ void KonqCombo::setTemporary( const QString& text )
+--- konqueror/konq_mainwindow.cc
++++ konqueror/konq_mainwindow.cc
+@@ -611,12 +611,11 @@ void KonqMainWindow::openURL( KonqView *
+   }
+   else // no known serviceType, use KonqRun
+   {
+-      if ( ( view && view == m_currentView ) ||
+-              ( !view && !req.newTab ) ) // startup with argument
++      if ( ( !view || view->url().isEmpty() ) && !req.newTab ) // startup with argument
+       {
+           // Show it for now in the location bar, but we'll need to store it in the view
+           // later on (can't do it yet since either view == 0 or updateHistoryEntry will be called).
+-          kdDebug(1202) << "setLocationBarURL : url = " << url << endl;
++          kdDebug(1202) << "setLocationBarURL (startup) : url = " << url << endl;
+           setLocationBarURL( url );
+       }
+ 
+@@ -819,8 +818,6 @@ bool KonqMainWindow::openView( QString s
+         if ( childView )
+         {
+             enableAllActions( true );
+-
+-            m_pViewManager->setActivePart( childView->part() );
+             m_currentView = childView;
+         }
+       }
+--- konqueror/konq_viewmgr.cc
++++ konqueror/konq_viewmgr.cc
+@@ -1395,6 +1395,8 @@ void KonqViewManager::slotActivePartChan
+ 
+ void KonqViewManager::emitActivePartChanged()
+ {
++    // prevent unnecessary multiple calls to slotPartActivated:
++    m_activePartChangedTimer->stop();
+     m_pMainWindow->slotPartActivated( activePart() );
+ }
+ 
diff --git a/x11/kdebase4/Makefile b/x11/kdebase4/Makefile
index 322f991ba7f2..42bda78adb66 100644
--- a/x11/kdebase4/Makefile
+++ b/x11/kdebase4/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdebase
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	x11 kde
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdebase4/files/patch-post-3.5.7-kdebase-konqueror.diff b/x11/kdebase4/files/patch-post-3.5.7-kdebase-konqueror.diff
new file mode 100644
index 000000000000..0d6e44ef4f82
--- /dev/null
+++ b/x11/kdebase4/files/patch-post-3.5.7-kdebase-konqueror.diff
@@ -0,0 +1,49 @@
+--- konqueror/konq_combo.cc
++++ konqueror/konq_combo.cc
+@@ -158,6 +158,9 @@ void KonqCombo::setURL( const QString& u
+         kapp->dcopClient()->send( "konqueror*", "KonquerorIface",
+                                   "addToCombo(QString,QCString)", data);
+     }
++    // important security consideration: always display the beginning
++    // of the url rather than its end to prevent spoofing attempts.
++    lineEdit()->setCursorPosition( 0 );
+ }
+ 
+ void KonqCombo::setTemporary( const QString& text )
+--- konqueror/konq_mainwindow.cc
++++ konqueror/konq_mainwindow.cc
+@@ -611,12 +611,11 @@ void KonqMainWindow::openURL( KonqView *
+   }
+   else // no known serviceType, use KonqRun
+   {
+-      if ( ( view && view == m_currentView ) ||
+-              ( !view && !req.newTab ) ) // startup with argument
++      if ( ( !view || view->url().isEmpty() ) && !req.newTab ) // startup with argument
+       {
+           // Show it for now in the location bar, but we'll need to store it in the view
+           // later on (can't do it yet since either view == 0 or updateHistoryEntry will be called).
+-          kdDebug(1202) << "setLocationBarURL : url = " << url << endl;
++          kdDebug(1202) << "setLocationBarURL (startup) : url = " << url << endl;
+           setLocationBarURL( url );
+       }
+ 
+@@ -819,8 +818,6 @@ bool KonqMainWindow::openView( QString s
+         if ( childView )
+         {
+             enableAllActions( true );
+-
+-            m_pViewManager->setActivePart( childView->part() );
+             m_currentView = childView;
+         }
+       }
+--- konqueror/konq_viewmgr.cc
++++ konqueror/konq_viewmgr.cc
+@@ -1395,6 +1395,8 @@ void KonqViewManager::slotActivePartChan
+ 
+ void KonqViewManager::emitActivePartChanged()
+ {
++    // prevent unnecessary multiple calls to slotPartActivated:
++    m_activePartChangedTimer->stop();
+     m_pMainWindow->slotPartActivated( activePart() );
+ }
+ 
diff --git a/x11/kdelibs3/Makefile b/x11/kdelibs3/Makefile
index f72461ffa31d..dcc1e875c6f6 100644
--- a/x11/kdelibs3/Makefile
+++ b/x11/kdelibs3/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	x11 kde ipv6
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdelibs3/files/patch-post-3.5.7-kdelibs-kdecore.diff b/x11/kdelibs3/files/patch-post-3.5.7-kdelibs-kdecore.diff
new file mode 100644
index 000000000000..eb7e89e13579
--- /dev/null
+++ b/x11/kdelibs3/files/patch-post-3.5.7-kdelibs-kdecore.diff
@@ -0,0 +1,61 @@
+------------------------------------------------------------------------
+r700053 | mueller | 2007-08-14 18:37:30 +0200 (Tue, 14 Aug 2007) | 2 lines
+
+be more robust against addressbar spoofing (CVE-2007-4225)
+
+------------------------------------------------------------------------
+--- kdecore/tests/kurltest.cpp
++++ kdecore/tests/kurltest.cpp
+@@ -288,6 +288,16 @@ int main(int argc, char *argv[])
+   check("KURL::prettyURL()", url15582.prettyURL(), "http://alain.knaff.linux.lu/bug-reports/kde/percentage%in%url.html");
+   check("KURL::url()", url15582.url(), "http://alain.knaff.linux.lu/bug-reports/kde/percentage%25in%25url.html");
+ 
++  KURL whitespaceInUser("http://www.google.com%20%20%20%20%20@foobar.com/");
++  check("KURL::prettyURL()", whitespaceInUser.prettyURL(), "http://www.google.com%20%20%20%20%20@foobar.com/");
++
++  KURL whitespaceInPath("http://www.google.com/foo%20bar/");
++  check("KURL::prettyURL()", whitespaceInPath.prettyURL(), "http://www.google.com/foo bar/");
++
++   KURL whitespaceInPath2("http://www.google.com/foo%20%20%20%20%20%20%20bar/");
++  check("KURL::prettyURL()", whitespaceInPath2.prettyURL(),
++          "http://www.google.com/foo%20%20%20%20%20%20 bar/");
++
+   KURL carsten;
+   carsten.setPath("/home/gis/src/kde/kdelibs/kfile/.#kfiledetailview.cpp.1.18");
+   check("KURL::path()", carsten.path(), "/home/gis/src/kde/kdelibs/kfile/.#kfiledetailview.cpp.1.18");
+@@ -594,6 +604,15 @@ int main(int argc, char *argv[])
+   check("http: URL with empty path string path", waba1.path(),
+         "");
+ 
++  waba1 = "http://www.meinestadt.de&url_plain=http";
++  check("http: URL with empty path string", waba1.host(),
++         "www.meinestadt.de&url_plain=http");
++  check("http: URL with empty path string", waba1.htmlURL(),
++         "http://www.meinestadt.de&amp;url_plain=http");
++ 
++  check("http: URL with empty path string", waba1.path(),
++         "");
++
+   waba1 = "http://a:389#b=c";
+   check( "http: URL with port, ref, and empty path; url", waba1.url(), "http://a:389#b=c" );
+   check( "http: URL with port, ref, and empty path; host", waba1.host(), "a" );
+--- kdecore/kurl.cpp
++++ kdecore/kurl.cpp
+@@ -183,7 +183,7 @@ static QString lazy_encode( const QStrin
+         (character == '?') || // Start of query delimiter
+         ((character == '@') && encodeAt) || // Username delimiter
+         (character == '#') || // Start of reference delimiter
+-        ((character == 32) && (i+1 == old_length))) // A trailing space
++        ((character == 32) && (i+1 == old_length || segment[i+1] == ' '))) // A trailing space
+     {
+       new_segment[ new_length++ ] = '%';
+ 
+@@ -1540,7 +1540,7 @@ QString KURL::prettyURL( int _trailing )
+     u += "//";
+     if ( hasUser() )
+     {
+-      u += lazy_encode(m_strUser);
++      u += encode(m_strUser, 0, 0);
+       // Don't show password!
+       u += "@";
+     }
diff --git a/x11/kdelibs4/Makefile b/x11/kdelibs4/Makefile
index f72461ffa31d..dcc1e875c6f6 100644
--- a/x11/kdelibs4/Makefile
+++ b/x11/kdelibs4/Makefile
@@ -8,7 +8,7 @@
 
 PORTNAME=	kdelibs
 PORTVERSION=	${KDE_VERSION}
-PORTREVISION=	0
+PORTREVISION=	1
 CATEGORIES=	x11 kde ipv6
 MASTER_SITES=	${MASTER_SITE_KDE}
 MASTER_SITE_SUBDIR=	stable/${PORTVERSION:S/.0//}/src
diff --git a/x11/kdelibs4/files/patch-post-3.5.7-kdelibs-kdecore.diff b/x11/kdelibs4/files/patch-post-3.5.7-kdelibs-kdecore.diff
new file mode 100644
index 000000000000..eb7e89e13579
--- /dev/null
+++ b/x11/kdelibs4/files/patch-post-3.5.7-kdelibs-kdecore.diff
@@ -0,0 +1,61 @@
+------------------------------------------------------------------------
+r700053 | mueller | 2007-08-14 18:37:30 +0200 (Tue, 14 Aug 2007) | 2 lines
+
+be more robust against addressbar spoofing (CVE-2007-4225)
+
+------------------------------------------------------------------------
+--- kdecore/tests/kurltest.cpp
++++ kdecore/tests/kurltest.cpp
+@@ -288,6 +288,16 @@ int main(int argc, char *argv[])
+   check("KURL::prettyURL()", url15582.prettyURL(), "http://alain.knaff.linux.lu/bug-reports/kde/percentage%in%url.html");
+   check("KURL::url()", url15582.url(), "http://alain.knaff.linux.lu/bug-reports/kde/percentage%25in%25url.html");
+ 
++  KURL whitespaceInUser("http://www.google.com%20%20%20%20%20@foobar.com/");
++  check("KURL::prettyURL()", whitespaceInUser.prettyURL(), "http://www.google.com%20%20%20%20%20@foobar.com/");
++
++  KURL whitespaceInPath("http://www.google.com/foo%20bar/");
++  check("KURL::prettyURL()", whitespaceInPath.prettyURL(), "http://www.google.com/foo bar/");
++
++   KURL whitespaceInPath2("http://www.google.com/foo%20%20%20%20%20%20%20bar/");
++  check("KURL::prettyURL()", whitespaceInPath2.prettyURL(),
++          "http://www.google.com/foo%20%20%20%20%20%20 bar/");
++
+   KURL carsten;
+   carsten.setPath("/home/gis/src/kde/kdelibs/kfile/.#kfiledetailview.cpp.1.18");
+   check("KURL::path()", carsten.path(), "/home/gis/src/kde/kdelibs/kfile/.#kfiledetailview.cpp.1.18");
+@@ -594,6 +604,15 @@ int main(int argc, char *argv[])
+   check("http: URL with empty path string path", waba1.path(),
+         "");
+ 
++  waba1 = "http://www.meinestadt.de&url_plain=http";
++  check("http: URL with empty path string", waba1.host(),
++         "www.meinestadt.de&url_plain=http");
++  check("http: URL with empty path string", waba1.htmlURL(),
++         "http://www.meinestadt.de&amp;url_plain=http");
++ 
++  check("http: URL with empty path string", waba1.path(),
++         "");
++
+   waba1 = "http://a:389#b=c";
+   check( "http: URL with port, ref, and empty path; url", waba1.url(), "http://a:389#b=c" );
+   check( "http: URL with port, ref, and empty path; host", waba1.host(), "a" );
+--- kdecore/kurl.cpp
++++ kdecore/kurl.cpp
+@@ -183,7 +183,7 @@ static QString lazy_encode( const QStrin
+         (character == '?') || // Start of query delimiter
+         ((character == '@') && encodeAt) || // Username delimiter
+         (character == '#') || // Start of reference delimiter
+-        ((character == 32) && (i+1 == old_length))) // A trailing space
++        ((character == 32) && (i+1 == old_length || segment[i+1] == ' '))) // A trailing space
+     {
+       new_segment[ new_length++ ] = '%';
+ 
+@@ -1540,7 +1540,7 @@ QString KURL::prettyURL( int _trailing )
+     u += "//";
+     if ( hasUser() )
+     {
+-      u += lazy_encode(m_strUser);
++      u += encode(m_strUser, 0, 0);
+       // Don't show password!
+       u += "@";
+     }
author	Michael Nottebrock <lofi@FreeBSD.org>	2007-08-19 15:36:01 +0000
committer	Michael Nottebrock <lofi@FreeBSD.org>	2007-08-19 15:36:01 +0000
commit	c6accc698631cb9331e64b9f3d19810d6834078a (patch)
tree	0c6e8ede112436d08fbaf2f0018ba90362de4c5d /x11
parent	Update to the 20070815 snapshot of GCC 4.2.2. (diff)