From 2d2ee71bee5475034b17f337aef8f6bdb0522c45 Mon Sep 17 00:00:00 2001
From: Florian Bruhin <git@the-compiler.org>
Date: Fri, 20 Jun 2014 22:57:04 +0200
Subject: [PATCH] Remove passwords from URLs going out via an insecure channel.

---
 qutebrowser/browser/commands.py | 8 ++++++--
 qutebrowser/browser/hints.py    | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/qutebrowser/browser/commands.py b/qutebrowser/browser/commands.py
index 2ebc8b965..9044517b1 100644
--- a/qutebrowser/browser/commands.py
+++ b/qutebrowser/browser/commands.py
@@ -356,7 +356,8 @@ class CommandDispatcher:
         Args:
             sel: True to use primary selection, False to use clipboard
         """
-        urlstr = self._tabs.currentWidget().url().toString(QUrl.FullyEncoded)
+        urlstr = self._tabs.currentWidget().url().toString(
+            QUrl.FullyEncoded | QUrl.RemovePassword)
         if sel:
             mode = QClipboard.Selection
             target = "primary selection"
@@ -608,7 +609,8 @@ class CommandDispatcher:
         Args:
             cmd: The command to execute.
         """
-        urlstr = self._tabs.currentWidget().url().toString(QUrl.FullyEncoded)
+        urlstr = self._tabs.currentWidget().url().toString(
+            QUrl.FullyEncoded | QUrl.RemovePassword)
         cmd = cmd.replace('{}', shell_escape(urlstr))
         log.procs.debug("Executing: {}".format(cmd))
         subprocess.Popen(cmd, shell=True)
@@ -621,6 +623,8 @@ class CommandDispatcher:
     @cmdutils.register(instance='mainwindow.tabs.cmd')
     def run_userscript(self, cmd, *args):
         """Run an userscript given as argument."""
+        # We don't remove the password in the URL here, as it's probably safe
+        # to pass via env variable.
         urlstr = self._tabs.currentWidget().url().toString(QUrl.FullyEncoded)
         runner = UserscriptRunner(self._tabs)
         runner.got_cmd.connect(self._tabs.got_cmd)
diff --git a/qutebrowser/browser/hints.py b/qutebrowser/browser/hints.py
index 40be086d7..ff427ca77 100644
--- a/qutebrowser/browser/hints.py
+++ b/qutebrowser/browser/hints.py
@@ -301,7 +301,7 @@ class HintManager(QObject):
         """
         sel = self._context.target == Target.yank_primary
         mode = QClipboard.Selection if sel else QClipboard.Clipboard
-        urlstr = url.toString(QUrl.FullyEncoded)
+        urlstr = url.toString(QUrl.FullyEncoded | QUrl.RemovePassword)
         QApplication.clipboard().setText(urlstr, mode)
         message.info("URL yanked to {}".format("primary selection" if sel
                                                else "clipboard"))