Fixed a security issue using QLabel for showing SSL certificate infos. 5_1_x

Tue, 18 Oct 2011 18:57:12 +0200

author
Detlev Offenbach <detlev@die-offenbachs.de>
date
Tue, 18 Oct 2011 18:57:12 +0200
branch
5_1_x
changeset 1372
78a9250e52de
parent 1371
3e5248c82ff2
child 1379
60cac11fcfb2

Fixed a security issue using QLabel for showing SSL certificate infos.

Helpviewer/Network/NetworkAccessManager.py file | annotate | diff | comparison | revisions
Helpviewer/SslCertificatesDialog.py file | annotate | diff | comparison | revisions
Helpviewer/SslInfoDialog.py file | annotate | diff | comparison | revisions
Helpviewer/UrlBar/UrlBar.py file | annotate | diff | comparison | revisions
--- a/Helpviewer/Network/NetworkAccessManager.py	Mon Oct 17 19:49:46 2011 +0200
+++ b/Helpviewer/Network/NetworkAccessManager.py	Tue Oct 18 18:57:12 2011 +0200
@@ -283,20 +283,20 @@
         result = "<p>"
         
         result += self.trUtf8("Name: {0}")\
-            .format(Utilities.decodeString(
-                cert.subjectInfo(QSslCertificate.CommonName)))
+            .format(Qt.escape(Utilities.decodeString(
+                cert.subjectInfo(QSslCertificate.CommonName))))
         
         result += self.trUtf8("<br/>Organization: {0}")\
-            .format(Utilities.decodeString(
-                cert.subjectInfo(QSslCertificate.Organization)))
+            .format(Qt.escape(Utilities.decodeString(
+                cert.subjectInfo(QSslCertificate.Organization))))
         
         result += self.trUtf8("<br/>Issuer: {0}")\
-            .format(Utilities.decodeString(
-                cert.issuerInfo(QSslCertificate.CommonName)))
+            .format(Qt.escape(Utilities.decodeString(
+                cert.issuerInfo(QSslCertificate.CommonName))))
         
         result += self.trUtf8("<br/>Not valid before: {0}<br/>Valid Until: {1}")\
-            .format(cert.effectiveDate().toString("yyyy-MM-dd"), 
-                    cert.expiryDate().toString("yyyy-MM-dd"))
+            .format(Qt.escape(cert.effectiveDate().toString("yyyy-MM-dd")),
+                    Qt.escape(cert.expiryDate().toString("yyyy-MM-dd")))
         
         result += "</p>"
         
--- a/Helpviewer/SslCertificatesDialog.py	Mon Oct 17 19:49:46 2011 +0200
+++ b/Helpviewer/SslCertificatesDialog.py	Tue Oct 18 18:57:12 2011 +0200
@@ -66,15 +66,15 @@
         @param cert certificate to insert (QSslCertificate)
         """
         # step 1: extract the info to be shown
-        organisation = Utilities.decodeString(
-            cert.subjectInfo(QSslCertificate.Organization))
+        organisation = Qt.escape(Utilities.decodeString(
+            cert.subjectInfo(QSslCertificate.Organization)))
         if organisation is None or organisation == "":
             organisation = self.trUtf8("(Unknown)")
-        commonName = Utilities.decodeString(
-            cert.subjectInfo(QSslCertificate.CommonName))
+        commonName = Qt.escape(Utilities.decodeString(
+            cert.subjectInfo(QSslCertificate.CommonName)))
         if commonName is None or commonName == "":
             commonName = self.trUtf8("(Unknown common name)")
-        expiryDate = cert.expiryDate().toString("yyyy-MM-dd")
+        expiryDate = Qt.escape(cert.expiryDate().toString("yyyy-MM-dd"))
         
         # step 2: create the entry
         items = self.serversCertificatesTree.findItems(organisation, 
@@ -248,15 +248,15 @@
         @param cert certificate to insert (QSslCertificate)
         """
         # step 1: extract the info to be shown
-        organisation = Utilities.decodeString(
-            cert.subjectInfo(QSslCertificate.Organization))
+        organisation = Qt.escape(Utilities.decodeString(
+            cert.subjectInfo(QSslCertificate.Organization)))
         if organisation is None or organisation == "":
             organisation = self.trUtf8("(Unknown)")
-        commonName = Utilities.decodeString(
-            cert.subjectInfo(QSslCertificate.CommonName))
+        commonName = Qt.escape(Utilities.decodeString(
+            cert.subjectInfo(QSslCertificate.CommonName)))
         if commonName is None or commonName == "":
             commonName = self.trUtf8("(Unknown common name)")
-        expiryDate = cert.expiryDate().toString("yyyy-MM-dd")
+        expiryDate = Qt.escape(cert.expiryDate().toString("yyyy-MM-dd"))
         
         # step 2: create the entry
         items = self.caCertificatesTree.findItems(organisation, 
--- a/Helpviewer/SslInfoDialog.py	Mon Oct 17 19:49:46 2011 +0200
+++ b/Helpviewer/SslInfoDialog.py	Tue Oct 18 18:57:12 2011 +0200
@@ -7,7 +7,7 @@
 Module implementing a dialog to show SSL certificate infos.
 """
 
-from PyQt4.QtCore import QCryptographicHash
+from PyQt4.QtCore import QCryptographicHash, Qt
 from PyQt4.QtGui import QDialog
 from PyQt4.QtNetwork import QSslCertificate
 
@@ -42,8 +42,10 @@
             certificate.issuerInfo(QSslCertificate.Organization)))
         self.issuerOrganizationalUnitLabel.setText(self.__certificateString(
             certificate.issuerInfo(QSslCertificate.OrganizationalUnitName)))
-        self.effectiveLabel.setText(certificate.effectiveDate().toString("yyyy-MM-dd"))
-        self.expiresLabel.setText(certificate.expiryDate().toString("yyyy-MM-dd"))
+        self.effectiveLabel.setText(Qt.escape(
+            certificate.effectiveDate().toString("yyyy-MM-dd")))
+        self.expiresLabel.setText(Qt.escape(
+            certificate.expiryDate().toString("yyyy-MM-dd")))
         self.sha1Label.setText(self.__formatHexString(
             str(certificate.digest(QCryptographicHash.Sha1).toHex(), encoding = "ascii")))
         self.md5Label.setText(self.__formatHexString(
@@ -59,7 +61,7 @@
         if txt is None or txt == "":
             return self.trUtf8("<not part of the certificate>")
         
-        return Utilities.decodeString(txt)
+        return Qt.escape(Utilities.decodeString(txt))
     
     def __serialNumber(self, cert):
         """
@@ -95,4 +97,4 @@
             hexList.append(hexString[:2])
             hexString = hexString[2:]
         
-        return ':'.join(hexList)
+        return Qt.escape(':'.join(hexList))
--- a/Helpviewer/UrlBar/UrlBar.py	Mon Oct 17 19:49:46 2011 +0200
+++ b/Helpviewer/UrlBar/UrlBar.py	Tue Oct 18 18:57:12 2011 +0200
@@ -146,11 +146,11 @@
                QSslCertificate is not None:
                 sslInfo = self.__browser.page().getSslInfo()
                 if sslInfo is not None:
-                    org = Utilities.decodeString(
-                        sslInfo.subjectInfo(QSslCertificate.Organization))
+                    org = Qt.escape(Utilities.decodeString(
+                        sslInfo.subjectInfo(QSslCertificate.Organization)))
                     if org == "":
-                        cn = Utilities.decodeString(
-                            sslInfo.subjectInfo(QSslCertificate.CommonName))
+                        cn = Qt.escape(Utilities.decodeString(
+                            sslInfo.subjectInfo(QSslCertificate.CommonName)))
                         if cn != "":
                             org = cn.split(".", 1)[1]
                         if org == "":

eric ide

mercurial