Bug 150973

Summary: kurl prettyUrl corrupts original url
Product: [Unmaintained] kio Reporter: Wieger Hofstra <kde>
Component: generalAssignee: Dirk Mueller <mueller>
Status: RESOLVED FIXED    
Severity: normal CC: bluedzins, carsten, dorian.nagel, ewal, faure, jumper99, max, mueller, nesnera, ovit.debian, ross, spam, spamdummy, txwikinger, webspam.michfu
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Ubuntu   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:

Description Wieger Hofstra 2007-10-18 14:24:56 UTC 
Version:            (using KDE KDE 3.5.8)
Installed from:    Ubuntu Packages
OS:                Linux

A comment in the function KUrl::prettyUrl

 // a "pretty" URL is NOT suitable for data transfer. It's only for showing data to the user.
 // however, it must be parseable back to its original state

a few lines below this comment is the following code:

if (!hasPass())
   tmp = KStringHandler::csqueeze(tmp, 16);  

This will not make it back parseable and disables a lot of apps using this method, like krdc

When you use Alt + F2 and insert: vnc://bladieblablabladieblabla@localhost krdc tries to open: vnc://bladie...blabla@localhost
Comment 1 David Faure 2007-10-19 16:34:14 UTC 
Yeah I am very surprised by this security "fix" which corrupts urls... Dirk?
Comment 2 Maksim Orlovich 2007-10-20 00:12:11 UTC 
*** Bug 151070 has been marked as a duplicate of this bug. ***
Comment 3 Sönke Greimann 2007-10-20 12:21:47 UTC 
Is it possible to disable this by some setting? It's really annoying and I don't want to install yet another program just for ftp.
Comment 4 Marnix Kok 2007-10-21 00:40:59 UTC 
*** This bug has been confirmed by popular vote. ***
Comment 5 David Faure 2007-10-23 10:36:19 UTC 
Dirk: I think this patch needs to be reverted.
Comment 6 Joonas Koivunen 2007-10-23 12:30:17 UTC 
I think it might be a good idea to truncate the username or whole url like:
old-url = "http://longusername@longerwebaddress.server.co.uk.euro.blaa/longer/path/to/current/file/?useragent=blaa

truncated-url = "http://longusername@...server.co.uk.euro/....../file/?useragent=blaa

But only in for example konquerors location bar, not the real url string.. And only if the user wants truncation of long urls. Either way this feature might open up phishing possibilities.

Another note, I think that the severity of this bug should be highest, as it degrades usage of for example konqueror very much and this feature exists in the kde 3.5.8.
Comment 7 Maksim Orlovich 2007-10-29 18:53:58 UTC 
*** Bug 151375 has been marked as a duplicate of this bug. ***
Comment 8 Pino Toscano 2007-11-02 00:18:52 UTC 
*** Bug 151724 has been marked as a duplicate of this bug. ***
Comment 9 David Faure 2007-11-02 12:24:03 UTC 
SVN commit 731945 by dfaure:

You cannot messup prettyURL in ways that break its definition. Its definition is KURL(u.prettyURL()) == u.
The security issue has to be fixed in a better way.
BUG: 150973
CCMAIL: mueller@kde.org


 M  +1 -8      kurl.cpp  
 M  +15 -1     tests/kurltest.cpp  


WebSVN link: http://websvn.kde.org/?view=rev&revision=731945
Comment 10 Tommi Tervo 2007-11-04 21:50:42 UTC 
*** Bug 151833 has been marked as a duplicate of this bug. ***
Comment 11 Pino Toscano 2007-11-30 16:39:48 UTC 
*** Bug 153180 has been marked as a duplicate of this bug. ***
Comment 12 Tommi Tervo 2007-11-30 21:17:49 UTC 
*** Bug 153190 has been marked as a duplicate of this bug. ***
Comment 13 Pino Toscano 2007-12-02 12:33:55 UTC 
*** Bug 153273 has been marked as a duplicate of this bug. ***
Comment 14 Maksim Orlovich 2007-12-29 06:54:44 UTC 
*** Bug 154781 has been marked as a duplicate of this bug. ***
Comment 15 Pino Toscano 2008-01-15 18:28:48 UTC 
*** Bug 155844 has been marked as a duplicate of this bug. ***
Comment 16 Tommi Tervo 2008-01-18 11:27:45 UTC 
*** Bug 156083 has been marked as a duplicate of this bug. ***
Comment 17 Tommi Tervo 2008-02-23 16:51:58 UTC 
*** Bug 158276 has been marked as a duplicate of this bug. ***
Comment 18 Pino Toscano 2008-03-26 17:55:39 UTC 
*** Bug 159905 has been marked as a duplicate of this bug. ***
Comment 19 Stefan Frings 2008-04-01 17:26:18 UTC 
I like to report that I encountered the same problem with long username when opening an FTP connection. STeps to reproduce: In the "Network" folder of Konqueror klick on the Icon "Add new network connection". Enter en FTP url. Enter a long username with a dash, for example "balblubb12-anywhere". Store the connection. Then a double klick on the new connection Icon fails.
Comment 20 David Faure 2008-04-02 13:38:03 UTC 
"Me too" on an already fixed bug is really not useful. Just update to a newer KDE version.
Comment 21 Maksim Orlovich 2008-06-04 23:19:25 UTC 
*** Bug 161240 has been marked as a duplicate of this bug. ***
Comment 22 George Kiagiadakis 2010-02-24 10:58:24 UTC 
*** Bug 158285 has been marked as a duplicate of this bug. ***