From b92d96243457b043c61d0b0b662fc114586dd685 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@math.unl.edu>
Date: Oct 06 2016 13:45:08 +0000
Subject: HTML injection in plain text viewer (#1382286,#1382298)


---

diff --git a/0043-Backport-avoid-to-transform-as-a-url-when-we-have-a-.patch b/0043-Backport-avoid-to-transform-as-a-url-when-we-have-a-.patch
new file mode 100644
index 0000000..62f9d56
--- /dev/null
+++ b/0043-Backport-avoid-to-transform-as-a-url-when-we-have-a-.patch
@@ -0,0 +1,95 @@
+From 176fee25ca79145ab5c8e2275d248f1a46a8d8cf Mon Sep 17 00:00:00 2001
+From: Montel Laurent <montel@kde.org>
+Date: Fri, 30 Sep 2016 15:55:35 +0200
+Subject: [PATCH 43/43] Backport avoid to transform as a url when we have a
+ quote
+
+---
+ kpimutils/linklocator.cpp | 30 +++++++++++++++++++++++++++---
+ kpimutils/linklocator.h   |  3 ++-
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+
+diff --git a/kpimutils/linklocator.cpp b/kpimutils/linklocator.cpp
+index f5d9afd..f30e8fc 100644
+--- a/kpimutils/linklocator.cpp
++++ b/kpimutils/linklocator.cpp
+@@ -95,6 +95,12 @@ int LinkLocator::maxAddressLen() const
+ 
+ QString LinkLocator::getUrl()
+ {
++    return getUrlAndCheckValidHref();
++}
++
++
++QString LinkLocator::getUrlAndCheckValidHref(bool *badurl)
++{
+   QString url;
+   if ( atUrl() ) {
+     // NOTE: see http://tools.ietf.org/html/rfc3986#appendix-A and especially appendix-C
+@@ -129,13 +135,26 @@ QString LinkLocator::getUrl()
+ 
+     url.reserve( maxUrlLen() );  // avoid allocs
+     int start = mPos;
++    bool previousCharIsADoubleQuote = false;
+     while ( ( mPos < (int)mText.length() ) &&
+             ( mText[mPos].isPrint() || mText[mPos].isSpace() ) &&
+             ( ( afterUrl.isNull() && !mText[mPos].isSpace() ) ||
+               ( !afterUrl.isNull() && mText[mPos] != afterUrl ) ) ) {
+       if ( !mText[mPos].isSpace() ) {   // skip whitespace
+-        url.append( mText[mPos] );
+-        if ( url.length() > maxUrlLen() ) {
++          if (mText[mPos] == QLatin1Char('>') && previousCharIsADoubleQuote) {
++              //it's an invalid url
++              if (badurl) {
++                  *badurl = true;
++              }
++              return QString();
++          }
++          if (mText[mPos] == QLatin1Char('"')) {
++              previousCharIsADoubleQuote = true;
++          } else {
++              previousCharIsADoubleQuote = false;
++          }
++          url.append( mText[mPos] );
++          if ( url.length() > maxUrlLen() ) {
+           break;
+         }
+       }
+@@ -367,7 +386,12 @@ QString LinkLocator::convertToHtml( const QString &plainText, int flags,
+     } else {
+       const int start = locator.mPos;
+       if ( !( flags & IgnoreUrls ) ) {
+-        str = locator.getUrl();
++        bool badUrl = false;
++        str = locator.getUrlAndCheckValidHref(&badUrl);
++        if (badUrl) {
++            return locator.mText;
++        }
++
+         if ( !str.isEmpty() ) {
+           QString hyperlink;
+           if ( str.left( 4 ) == QLatin1String("www.") ) {
+diff --git a/kpimutils/linklocator.h b/kpimutils/linklocator.h
+index 3049397..375498d 100644
+--- a/kpimutils/linklocator.h
++++ b/kpimutils/linklocator.h
+@@ -107,6 +107,7 @@ class KPIMUTILS_EXPORT LinkLocator
+       @return The URL at the current scan position, or an empty string.
+     */
+     QString getUrl();
++    QString getUrlAndCheckValidHref(bool *badurl = 0);
+ 
+     /**
+       Attempts to grab an email address. If there is an @ symbol at the
+@@ -155,7 +156,7 @@ class KPIMUTILS_EXPORT LinkLocator
+     */
+     static QString pngToDataUrl( const QString & iconPath );
+ 
+-  protected:
++protected:
+     /**
+       The plaintext string being scanned for URLs and email addresses.
+     */
+-- 
+2.7.4
+
diff --git a/kdepimlibs.spec b/kdepimlibs.spec
index e32c1b5..a690619 100644
--- a/kdepimlibs.spec
+++ b/kdepimlibs.spec
@@ -13,7 +13,7 @@
 Name:    kdepimlibs
 Summary: KDE PIM Libraries
 Version: 4.14.10
-Release: 14%{?dist}
+Release: 15%{?dist}
 
 # http://techbase.kde.org/Policies/Licensing_Policy
 License: LGPLv2+
@@ -27,7 +27,7 @@ URL:     https://quickgit.kde.org/?p=%{name}.git
 %endif
 Source0: http://download.kde.org/%{stable}/applications/%{version}/src/kdepimlibs-%{version}.tar.xz
 
-## upstream patches
+## upstream patches: KDE/4.14 branch
 Patch1: 0001-Output-warnings-when-ItemSync-fails-to-delete-an-ite.patch
 Patch2: 0002-missing-camelcase-headers-for-Akonadi-KABC-and-Akona.patch
 Patch3: 0003-Optimization-avoid-double-lookup-in-QHash.patch
@@ -64,6 +64,9 @@ Patch33: 0033-Akonadi-SpecialCollectionsRequestJob-increase-timeou.patch
 Patch34: 0034-holiday_de-by_de-remove-Bu-und-Bettag-as-public-holi.patch
 Patch35: 0035-akonadi-collectionstatisticsdelegate.cpp-backport.patch
 
+## upstream patches: vendor/intevation/4.14 branch
+Patch43: 0043-Backport-avoid-to-transform-as-a-url-when-we-have-a-.patch
+
 ## upstreamable patches
 
 %{?kdelibs4_requires}
@@ -374,6 +377,9 @@ update-mime-database %{?fedora:-n} %{_kde4_datadir}/mime &> /dev/null || :
 
 
 %changelog
+* Thu Oct 06 2016 Rex Dieter <rdieter@fedoraproject.org> - 4.14.10-15
+- HTML injection in plain text viewer (#1382286,#1382298)
+
 * Wed Jun 01 2016 Rex Dieter <rdieter@fedoraproject.org> 4.14.10-14
 - pull in 4.14 branch fixes