Branch: master

1074eb03 2019-08-08 01:15:54 Slávek Banko 
Security: remove support for $(...) in config keys with [$e] marker.

It is very unclear at this point what a valid use case for this feature
would possibly be. The old documentation only mentions $(hostname) as
an example, which can be done with $HOSTNAME instead.

Note that $(...) is still supported in Exec lines of desktop files,
this does not require [$e] anyway (and actually works better without it,
otherwise the $ signs need to be doubled to obey tdeconfig $e escaping rules...).

Based on KDE Frameworks 5 kconfig patch for CVE-2019-14744.
This resolves issue #45.

Signed-off-by: Slávek Banko <slavek.banko@...>
M tdecore/README.kiosk
M tdecore/tdeconfigbase.cpp

tdecore/README.kiosk

diff --git a/tdecore/README.kiosk b/tdecore/README.kiosk
index 826fc6d..ae4f72d 100644
--- a/tdecore/README.kiosk
+++ b/tdecore/README.kiosk
@@ -642,18 +642,6 @@
 Name[$ei]=${USER}
 
 
-Shell Commands in KDE config files.
-===================================
-
-In KDE3.1 arbitrary entries in configuration files can contain shell 
-commands. This way the value of a configuration entry can be determined
-dynamically at runtime. In order to use this the entry must be marked 
-with [$e]. 
-
-Example:
-Host[$e]=$(hostname)
-
-
 KDE3 Kiosk Application API
 ==========================

tdecore/tdeconfigbase.cpp

diff --git a/tdecore/tdeconfigbase.cpp b/tdecore/tdeconfigbase.cpp
index 1e8310a..340afdf 100644
--- a/tdecore/tdeconfigbase.cpp
+++ b/tdecore/tdeconfigbase.cpp
@@ -276,26 +276,7 @@
 
       while( nDollarPos != -1 && nDollarPos+1 < static_cast<int>(aValue.length())) {
         // there is at least one $
-        if( (aValue)[nDollarPos+1] == '(' ) {
-          uint nEndPos = nDollarPos+1;
-          // the next character is no $
-          while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=')') )
-              nEndPos++;
-          nEndPos++;
-          TQString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 );
-
-          TQString result;
-          FILE *fs = popen(TQFile::encodeName(cmd).data(), "r");
-          if (fs)
-          {
-             {
-             TQTextStream ts(fs, IO_ReadOnly);
-             result = ts.read().stripWhiteSpace();
-             }
-             pclose(fs);
-          }
-          aValue.replace( nDollarPos, nEndPos-nDollarPos, result );
-        } else if( (aValue)[nDollarPos+1] != '$' ) {
+        if( (aValue)[nDollarPos+1] != '$' ) {
           uint nEndPos = nDollarPos+1;
           // the next character is no $
           TQString aVarName;

Branch: r14.0.x