Tue, 18 Oct 2011 18:57:12 +0200
Fixed a security issue using QLabel for showing SSL certificate infos.
--- a/Helpviewer/Network/NetworkAccessManager.py Mon Oct 17 19:49:46 2011 +0200 +++ b/Helpviewer/Network/NetworkAccessManager.py Tue Oct 18 18:57:12 2011 +0200 @@ -283,20 +283,20 @@ result = "<p>" result += self.trUtf8("Name: {0}")\ - .format(Utilities.decodeString( - cert.subjectInfo(QSslCertificate.CommonName))) + .format(Qt.escape(Utilities.decodeString( + cert.subjectInfo(QSslCertificate.CommonName)))) result += self.trUtf8("<br/>Organization: {0}")\ - .format(Utilities.decodeString( - cert.subjectInfo(QSslCertificate.Organization))) + .format(Qt.escape(Utilities.decodeString( + cert.subjectInfo(QSslCertificate.Organization)))) result += self.trUtf8("<br/>Issuer: {0}")\ - .format(Utilities.decodeString( - cert.issuerInfo(QSslCertificate.CommonName))) + .format(Qt.escape(Utilities.decodeString( + cert.issuerInfo(QSslCertificate.CommonName)))) result += self.trUtf8("<br/>Not valid before: {0}<br/>Valid Until: {1}")\ - .format(cert.effectiveDate().toString("yyyy-MM-dd"), - cert.expiryDate().toString("yyyy-MM-dd")) + .format(Qt.escape(cert.effectiveDate().toString("yyyy-MM-dd")), + Qt.escape(cert.expiryDate().toString("yyyy-MM-dd"))) result += "</p>"
--- a/Helpviewer/SslCertificatesDialog.py Mon Oct 17 19:49:46 2011 +0200 +++ b/Helpviewer/SslCertificatesDialog.py Tue Oct 18 18:57:12 2011 +0200 @@ -66,15 +66,15 @@ @param cert certificate to insert (QSslCertificate) """ # step 1: extract the info to be shown - organisation = Utilities.decodeString( - cert.subjectInfo(QSslCertificate.Organization)) + organisation = Qt.escape(Utilities.decodeString( + cert.subjectInfo(QSslCertificate.Organization))) if organisation is None or organisation == "": organisation = self.trUtf8("(Unknown)") - commonName = Utilities.decodeString( - cert.subjectInfo(QSslCertificate.CommonName)) + commonName = Qt.escape(Utilities.decodeString( + cert.subjectInfo(QSslCertificate.CommonName))) if commonName is None or commonName == "": commonName = self.trUtf8("(Unknown common name)") - expiryDate = cert.expiryDate().toString("yyyy-MM-dd") + expiryDate = Qt.escape(cert.expiryDate().toString("yyyy-MM-dd")) # step 2: create the entry items = self.serversCertificatesTree.findItems(organisation, @@ -248,15 +248,15 @@ @param cert certificate to insert (QSslCertificate) """ # step 1: extract the info to be shown - organisation = Utilities.decodeString( - cert.subjectInfo(QSslCertificate.Organization)) + organisation = Qt.escape(Utilities.decodeString( + cert.subjectInfo(QSslCertificate.Organization))) if organisation is None or organisation == "": organisation = self.trUtf8("(Unknown)") - commonName = Utilities.decodeString( - cert.subjectInfo(QSslCertificate.CommonName)) + commonName = Qt.escape(Utilities.decodeString( + cert.subjectInfo(QSslCertificate.CommonName))) if commonName is None or commonName == "": commonName = self.trUtf8("(Unknown common name)") - expiryDate = cert.expiryDate().toString("yyyy-MM-dd") + expiryDate = Qt.escape(cert.expiryDate().toString("yyyy-MM-dd")) # step 2: create the entry items = self.caCertificatesTree.findItems(organisation,
--- a/Helpviewer/SslInfoDialog.py Mon Oct 17 19:49:46 2011 +0200 +++ b/Helpviewer/SslInfoDialog.py Tue Oct 18 18:57:12 2011 +0200 @@ -7,7 +7,7 @@ Module implementing a dialog to show SSL certificate infos. """ -from PyQt4.QtCore import QCryptographicHash +from PyQt4.QtCore import QCryptographicHash, Qt from PyQt4.QtGui import QDialog from PyQt4.QtNetwork import QSslCertificate @@ -42,8 +42,10 @@ certificate.issuerInfo(QSslCertificate.Organization))) self.issuerOrganizationalUnitLabel.setText(self.__certificateString( certificate.issuerInfo(QSslCertificate.OrganizationalUnitName))) - self.effectiveLabel.setText(certificate.effectiveDate().toString("yyyy-MM-dd")) - self.expiresLabel.setText(certificate.expiryDate().toString("yyyy-MM-dd")) + self.effectiveLabel.setText(Qt.escape( + certificate.effectiveDate().toString("yyyy-MM-dd"))) + self.expiresLabel.setText(Qt.escape( + certificate.expiryDate().toString("yyyy-MM-dd"))) self.sha1Label.setText(self.__formatHexString( str(certificate.digest(QCryptographicHash.Sha1).toHex(), encoding = "ascii"))) self.md5Label.setText(self.__formatHexString( @@ -59,7 +61,7 @@ if txt is None or txt == "": return self.trUtf8("<not part of the certificate>") - return Utilities.decodeString(txt) + return Qt.escape(Utilities.decodeString(txt)) def __serialNumber(self, cert): """ @@ -95,4 +97,4 @@ hexList.append(hexString[:2]) hexString = hexString[2:] - return ':'.join(hexList) + return Qt.escape(':'.join(hexList))
--- a/Helpviewer/UrlBar/UrlBar.py Mon Oct 17 19:49:46 2011 +0200 +++ b/Helpviewer/UrlBar/UrlBar.py Tue Oct 18 18:57:12 2011 +0200 @@ -146,11 +146,11 @@ QSslCertificate is not None: sslInfo = self.__browser.page().getSslInfo() if sslInfo is not None: - org = Utilities.decodeString( - sslInfo.subjectInfo(QSslCertificate.Organization)) + org = Qt.escape(Utilities.decodeString( + sslInfo.subjectInfo(QSslCertificate.Organization))) if org == "": - cn = Utilities.decodeString( - sslInfo.subjectInfo(QSslCertificate.CommonName)) + cn = Qt.escape(Utilities.decodeString( + sslInfo.subjectInfo(QSslCertificate.CommonName))) if cn != "": org = cn.split(".", 1)[1] if org == "":