1074eb03 | 2019-08-08 01:15:54 | Slávek Banko |
Security: remove support for $(...) in config keys with [$e] marker. It is very unclear at this point what a valid use case for this feature would possibly be. The old documentation only mentions $(hostname) as an example, which can be done with $HOSTNAME instead. Note that $(...) is still supported in Exec lines of desktop files, this does not require [$e] anyway (and actually works better without it, otherwise the $ signs need to be doubled to obey tdeconfig $e escaping rules...). Based on KDE Frameworks 5 kconfig patch for CVE-2019-14744. This resolves issue #45. Signed-off-by: Slávek Banko <slavek.banko@...> |
||
M tdecore/README.kiosk M tdecore/tdeconfigbase.cpp |
||
tdecore/README.kioskdiff --git a/tdecore/README.kiosk b/tdecore/README.kiosk index 826fc6d..ae4f72d 100644 --- a/tdecore/README.kiosk +++ b/tdecore/README.kiosk @@ -642,18 +642,6 @@ Name[$ei]=${USER} -Shell Commands in KDE config files. -=================================== - -In KDE3.1 arbitrary entries in configuration files can contain shell -commands. This way the value of a configuration entry can be determined -dynamically at runtime. In order to use this the entry must be marked -with [$e]. - -Example: -Host[$e]=$(hostname) - - KDE3 Kiosk Application API ========================== tdecore/tdeconfigbase.cppdiff --git a/tdecore/tdeconfigbase.cpp b/tdecore/tdeconfigbase.cpp index 1e8310a..340afdf 100644 --- a/tdecore/tdeconfigbase.cpp +++ b/tdecore/tdeconfigbase.cpp @@ -276,26 +276,7 @@ while( nDollarPos != -1 && nDollarPos+1 < static_cast<int>(aValue.length())) { // there is at least one $ - if( (aValue)[nDollarPos+1] == '(' ) { - uint nEndPos = nDollarPos+1; - // the next character is no $ - while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=')') ) - nEndPos++; - nEndPos++; - TQString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 ); - - TQString result; - FILE *fs = popen(TQFile::encodeName(cmd).data(), "r"); - if (fs) - { - { - TQTextStream ts(fs, IO_ReadOnly); - result = ts.read().stripWhiteSpace(); - } - pclose(fs); - } - aValue.replace( nDollarPos, nEndPos-nDollarPos, result ); - } else if( (aValue)[nDollarPos+1] != '$' ) { + if( (aValue)[nDollarPos+1] != '$' ) { uint nEndPos = nDollarPos+1; // the next character is no $ TQString aVarName; |