File CVE-2024-50624.patch of Package kmail-account-wizard
From ca1dc22b521911338734a2c3f81b818fa55f833e Mon Sep 17 00:00:00 2001
From: Christophe Marin <christophe@krop.fr>
Date: Mon, 28 Oct 2024 17:51:30 +0100
Subject: [PATCH] CVE-2024-50624 Use https first when looking for mail provider
autoconfig
Backported from https://invent.kde.org/pim/kmail-account-wizard/-/commit/9784f5ab41
Fixes CVE-2024-50624, boo#1232454, kde#487882
---
src/ispdb/ispdb.cpp | 9 +++++++--
src/ispdb/ispdb.h | 8 +++++---
2 files changed, 12 insertions(+), 5 deletions(-)
diff --git a/src/ispdb/ispdb.cpp b/src/ispdb/ispdb.cpp
index 41a03aa..e3893aa 100644
--- a/src/ispdb/ispdb.cpp
+++ b/src/ispdb/ispdb.cpp
@@ -64,11 +64,14 @@ QUrl Ispdb::lookupUrl(const QString &type, const QString &version, bool auth, bo
QUrl url;
const QString path = type + QStringLiteral("/config-v") + version + QStringLiteral(".xml");
switch (mServerType) {
+ case IspHttpsAutoConfig:
+ url = QUrl(QStringLiteral("https://autoconfig.") + mAddr.domain.toLower() + QLatin1Char('/') + path);
+ break;
case IspAutoConfig:
url = QUrl(QStringLiteral("http://autoconfig.") + mAddr.domain.toLower() + QLatin1Char('/') + path);
break;
case IspWellKnow:
- url = QUrl(QStringLiteral("http://") + mAddr.domain.toLower() + QStringLiteral("/.well-known/autoconfig/") + path);
+ url = QUrl(QStringLiteral("https://") + mAddr.domain.toLower() + QStringLiteral("/.well-known/autoconfig/") + path);
break;
case DataBase:
url = QUrl(QStringLiteral("https://autoconfig.thunderbird.net/v1.1/") + mAddr.domain.toLower());
@@ -94,6 +97,7 @@ void Ispdb::slotResult(KJob *job)
bool lookupFinished = false;
switch (mServerType) {
+ case IspHttpsAutoConfig:
case IspAutoConfig:
mServerType = IspWellKnow;
break;
@@ -101,7 +105,7 @@ void Ispdb::slotResult(KJob *job)
lookupFinished = true;
break;
case DataBase:
- mServerType = IspAutoConfig;
+ mServerType = IspHttpsAutoConfig;
break;
}
@@ -348,6 +352,7 @@ void Ispdb::setServerType(Ispdb::searchServerType type)
mStart = false;
switch (mServerType) {
case IspAutoConfig:
+ case IspHttpsAutoConfig:
Q_EMIT searchType(i18n("Lookup configuration: Email provider"));
break;
case IspWellKnow:
diff --git a/src/ispdb/ispdb.h b/src/ispdb/ispdb.h
index 12de439..7c8c441 100644
--- a/src/ispdb/ispdb.h
+++ b/src/ispdb/ispdb.h
@@ -95,9 +95,11 @@ protected:
@see lookupUrl to generate a url base on this type
*/
enum searchServerType {
- IspAutoConfig = 0, /**< http://autoconfig.example.com/mail/config-v1.1.xml */
- IspWellKnow, /**< http://example.com/.well-known/autoconfig/mail/config-v1.1.xml */
- DataBase /**< https://autoconfig.thunderbird.net/v1.1/example.com */
+ DataBase = 0, ///< https://autoconfig.thunderbird.net/v1.1/example.com */
+ IspHttpsAutoConfig = 1, ///< https://autoconfig.example.com/mail/config-v1.1.xml
+ IspAutoConfig = 2, ///< http://autoconfig.example.com/mail/config-v1.1.xml
+ IspWellKnow = 3, ///< https://example.com/.well-known/autoconfig/mail/config-v1.1.xml
+ Last = IspWellKnow
};
/** let's request the autoconfig server */
--
2.47.0
