Remove UserInfo and path/query for PAC URLs

2017-03-01 14:10:21 +01:00 · 2017-03-01 14:10:21 +01:00 · 9bb5c9fdab
commit 9bb5c9fdab
parent 5d0c9440f6
2 changed files with 31 additions and 2 deletions
--- a/qutebrowser/browser/network/pac.py
+++ b/qutebrowser/browser/network/pac.py
@ -22,7 +22,7 @@
 import sys
 import functools

-from PyQt5.QtCore import (QObject, pyqtSignal, pyqtSlot)
+from PyQt5.QtCore import QObject, pyqtSignal, pyqtSlot, QUrl
 from PyQt5.QtNetwork import (QNetworkProxy, QNetworkRequest, QHostInfo,
                             QNetworkReply, QNetworkAccessManager,
                             QHostAddress)
@ -208,7 +208,10 @@ class PACResolver:
        Return:
            A list of QNetworkProxy objects in order of preference.
        """
-        result = self._resolver.call([query.url().toString(),
+        string_flags = QUrl.RemoveUserInfo
+        if query.url().scheme() == 'https':
+            string_flags |= QUrl.RemovePath | QUrl.RemoveQuery
+        result = self._resolver.call([query.url().toString(string_flags),
                                      query.peerHostName()])
        result_str = result.toString()
        if not result.isString():
--- a/tests/unit/browser/webkit/network/test_pac.py
+++ b/tests/unit/browser/webkit/network/test_pac.py
@ -171,6 +171,32 @@ def test_fail_return():
        res.resolve(QNetworkProxyQuery(QUrl("https://example.com/test")))


+@pytest.mark.parametrize('url, has_secret', [
+    ('http://example.com/secret', True),  # path passed with HTTP
+    ('http://example.com?secret=yes', True),  # query passed with HTTP
+    ('http://secret@example.com', False),  # user stripped with HTTP
+    ('http://user:secret@example.com', False),  # password stripped with HTTP
+
+    ('https://example.com/secret', False),  # path stripped with HTTPS
+    ('https://example.com?secret=yes', False),  # query stripped with HTTPS
+    ('https://secret@example.com', False),  # user stripped with HTTPS
+    ('https://user:secret@example.com', False),  # password stripped with HTTPS
+])
+def test_secret_url(url, has_secret):
+    test_str = """
+        function FindProxyForURL(domain, host) {{
+            has_secret = domain.indexOf("secret") !== -1;
+            expected_secret = {};
+            if (has_secret !== expected_secret) {{
+                throw new Error("Expected secret: " + expected_secret + ", found: " + has_secret + " in " + domain);
+            }}
+            return "DIRECT";
+        }}
+    """.format('true' if (has_secret or from_file) else 'false')
+    res = pac.PACResolver(test_str)
+    res.resolve(QNetworkProxyQuery(QUrl(url)))
+
+
 # See https://github.com/qutebrowser/qutebrowser/pull/1891#issuecomment-259222615

 try: