9 files changed, 57 insertions, 13 deletions
diff --git a/src/network/access/qhttpnetworkconnectionchannel.cpp b/src/network/access/qhttpnetworkconnectionchannel.cpp
index 15fda34..b9db7fe 100644
--- a/src/network/access/qhttpnetworkconnectionchannel.cpp
+++ b/src/network/access/qhttpnetworkconnectionchannel.cpp
@@ -788,6 +788,7 @@ void QHttpNetworkConnectionChannel::detectPipeliningSupport()
             && (!serverHeaderField.contains("Netscape-Enterprise/3."))
             // this is adpoted from the knowledge of the Nokia 7.x browser team (DEF143319)
             && (!serverHeaderField.contains("WebLogic"))
+            && (!serverHeaderField.startsWith("Rocket")) // a Python Web Server, see Web2py.com
             ) {
         pipeliningSupported = QHttpNetworkConnectionChannel::PipeliningProbablySupported;
     } else {
diff --git a/src/network/kernel/qnetworkproxy.cpp b/src/network/kernel/qnetworkproxy.cpp
index 71d61a4..4167b6d 100644
--- a/src/network/kernel/qnetworkproxy.cpp
+++ b/src/network/kernel/qnetworkproxy.cpp
@@ -1384,9 +1384,9 @@ void QNetworkProxyFactory::setApplicationProxyFactory(QNetworkProxyFactory *fact
     SOCKS server for all queries. If SOCKS isn't enabled, it will use
     the HTTPS proxy for all TcpSocket and UrlRequest queries.
 
-    On other systems, there is no standardised method of obtaining the
-    system proxy configuration. This function may be improved in
-    future versions to support those systems.
+    On other systems, this function will pick up proxy settings from
+    the "http_proxy" environment variable. This variable must be a URL
+    using one of the following schemes: "http", "socks5" or "socks5h".
 
     \section1 Limitations
 
diff --git a/src/network/kernel/qnetworkproxy_generic.cpp b/src/network/kernel/qnetworkproxy_generic.cpp
index e9eaee9..f78f63d 100644
--- a/src/network/kernel/qnetworkproxy_generic.cpp
+++ b/src/network/kernel/qnetworkproxy_generic.cpp
@@ -41,17 +41,44 @@
 
 #include "qnetworkproxy.h"
 
+#include <QtCore/QByteArray>
+#include <QtCore/QUrl>
+
 #ifndef QT_NO_NETWORKPROXY
 
 /*
- * No system proxy. Just return a list with NoProxy.
+ * Construct a proxy from the environment variable http_proxy.
+ * Or no system proxy. Just return a list with NoProxy.
  */
 
 QT_BEGIN_NAMESPACE
 
 QList<QNetworkProxy> QNetworkProxyFactory::systemProxyForQuery(const QNetworkProxyQuery &)
 {
-    return QList<QNetworkProxy>() << QNetworkProxy::NoProxy;
+    QList<QNetworkProxy> proxyList;
+
+    QByteArray proxy_env = qgetenv("http_proxy");
+    if (!proxy_env.isEmpty()) {
+        QUrl url = QUrl(QString::fromLocal8Bit(proxy_env));
+        if (url.scheme() == QLatin1String("socks5")) {
+            QNetworkProxy proxy(QNetworkProxy::Socks5Proxy, url.host(),
+                    url.port() ? url.port() : 1080, url.userName(), url.password());
+            proxyList << proxy;
+        } else if (url.scheme() == QLatin1String("socks5h")) {
+            QNetworkProxy proxy(QNetworkProxy::Socks5Proxy, url.host(),
+                    url.port() ? url.port() : 1080, url.userName(), url.password());
+            proxy.setCapabilities(QNetworkProxy::HostNameLookupCapability);
+            proxyList << proxy;
+        } else if (url.scheme() == QLatin1String("http") || url.scheme().isEmpty()) {
+            QNetworkProxy proxy(QNetworkProxy::HttpProxy, url.host(),
+                    url.port() ? url.port() : 8080, url.userName(), url.password());
+            proxyList << proxy;
+        }
+    }
+    if (proxyList.isEmpty())
+        proxyList << QNetworkProxy::NoProxy;
+
+    return proxyList;
 }
 
 QT_END_NAMESPACE
diff --git a/src/network/socket/qlocalserver_unix.cpp b/src/network/socket/qlocalserver_unix.cpp
index 851e898..390712c 100644
--- a/src/network/socket/qlocalserver_unix.cpp
+++ b/src/network/socket/qlocalserver_unix.cpp
@@ -167,16 +167,16 @@ bool QLocalServerPrivate::listen(const QString &requestedServerName)
  */
 void QLocalServerPrivate::closeServer()
 {
-    if (-1 != listenSocket)
-        QT_CLOSE(listenSocket);
-    listenSocket = -1;
-
     if (socketNotifier) {
         socketNotifier->setEnabled(false); // Otherwise, closed socket is checked before deleter runs
         socketNotifier->deleteLater();
         socketNotifier = 0;
     }
 
+    if (-1 != listenSocket)
+        QT_CLOSE(listenSocket);
+    listenSocket = -1;
+
     if (!fullServerName.isEmpty())
         QFile::remove(fullServerName);
 }
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
index b556328..01297c9 100644
--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
@@ -141,9 +141,15 @@ QT_BEGIN_NAMESPACE
     \value SslOptionDisableServerNameIndication Disables the SSL server
     name indication extension. When enabled, this tells the server the virtual
     host being accessed allowing it to respond with the correct certificate.
+    \value SslOptionDisableLegacyRenegotiation Disables the older insecure
+    mechanism for renegotiating the connection parameters. When enabled, this
+    option can allow connections for legacy servers, but it introduces the
+    possibility that an attacker could inject plaintext into the SSL session.
 
     By default, SslOptionDisableEmptyFragments is turned on since this causes
-    problems with a large number of servers, but the other options are disabled.
+    problems with a large number of servers. SslOptionDisableLegacyRenegotiation
+    is also turned on, since it introduces a security risk. The other options
+    are turned off.
 
     Note: Availability of above options depends on the version of the SSL
     backend in use.
diff --git a/src/network/ssl/qssl.h b/src/network/ssl/qssl.h
index 453d4da..571aa1f 100644
--- a/src/network/ssl/qssl.h
+++ b/src/network/ssl/qssl.h
@@ -87,7 +87,8 @@ namespace QSsl {
         SslOptionDisableEmptyFragments = 0x01,
         SslOptionDisableSessionTickets = 0x02,
         SslOptionDisableCompression = 0x04,
-        SslOptionDisableServerNameIndication = 0x08
+        SslOptionDisableServerNameIndication = 0x08,
+        SslOptionDisableLegacyRenegotiation = 0x10
     };
     Q_DECLARE_FLAGS(SslOptions, SslOption)
 }
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
index e24076e..727130b 100644
--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
@@ -201,7 +201,7 @@ bool QSslConfiguration::isNull() const
             d->privateKey.isNull() &&
             d->peerCertificate.isNull() &&
             d->peerCertificateChain.count() == 0 &&
-            d->sslOptions == 0);
+            d->sslOptions == QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation);
 }
 
 /*!
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
index b83edb9..a711eeb 100644
--- a/src/network/ssl/qsslconfiguration_p.h
+++ b/src/network/ssl/qsslconfiguration_p.h
@@ -82,7 +82,8 @@ public:
     QSslConfigurationPrivate()
         : protocol(QSsl::SecureProtocols),
           peerVerifyMode(QSslSocket::AutoVerifyPeer),
-          peerVerifyDepth(0)
+          peerVerifyDepth(0),
+          sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
     { }
 
     QSslCertificate peerCertificate;
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index 3942209..5f520f7 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -298,6 +298,14 @@ init_context:
     else
         options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
 
+#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
+    // This option is disabled by default, so we need to be able to clear it
+    if (configuration.sslOptions & QSsl::SslOptionDisableLegacyRenegotiation)
+        options &= ~SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+    else
+        options |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
+#endif
+
 #ifdef SSL_OP_NO_TICKET
     if (configuration.sslOptions & QSsl::SslOptionDisableSessionTickets)
         options |= SSL_OP_NO_TICKET;