[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    QUANTA_3_1_BRANCH: quanta [POSSIBLY UNSAFE]
From:       Andras Mantia <amantia () freemail ! hu>
Date:       2002-12-08 10:01:24
[Download RAW message or body]

CVS commit by amantia: 

Security fix (backport).


  M +17 -8     ChangeLog   1.90.2.5
  M +2 -151    quanta.kdevprj   1.85.2.4
  M +7 -3      quanta/plugins/quantacmdplugin.cpp   1.9.2.1 [POSSIBLY UNSAFE: KShellProcess]


--- quanta/ChangeLog   1.90.2.5:
@@ -1,8 +1,8 @@
 This file contains the changes for Quanta since version 2.0 until the 3.1 series.
 
-Version 3.1 (Possible release date: 19-12-2002 or 15-01-2003)
-NOTE: Altough I hope that it won't be the case, some of these changes may not
-be present in the real 3.1. Those will go into the 3.1.1 release.
 
+Version 3.1 (Possible release date: 14-01-2003)
+NOTE: Released together with KDE 3.1 (final) and as a separate tarball for
+KDE 3.0.x on our Sourceforge site.
   - 3.1.x series specific bugfixes: 
     - none at this moment
@@ -10,4 +10,14 @@ be present in the real 3.1. Those will g
     - none at this moment
   - backported bugfixes from Quanta HEAD:
+    - security fixes
+    - execution of command line type plugins fixed
+
+Version 3.1-pr1 (Release date: 07-12-2002)
+NOTE: This version was released together with KDE 3.1 RC5. It already
+identifies itself as Quanta 3.1, but the code should be not considered
+as final. It was released also as Quanta 3.1-pr1 on our Sourceforge
+site.
+
+  - bugfixes:
     - a very grave bug fixed: Clear List in the New Project wizard deleted
       all the files from the target dir. This is evil, if the target dir
@@ -23,11 +33,10 @@ be present in the real 3.1. Those will g
   - synched the File and Grep dialog code with Kate
   
-          
-
 Version 3.1 (Freeze date: 02-12-2002; Started: 29-10-2002)
 NOTE: This version was supposed to go into the KDE 3.1 release. As it is delayed,
-some of the above fixes might go into the final 3.1 release.
+some of the above fixes might go into the final 3.1 release. This can be found in 
+KDE 3.1 RC3. 
 
-  - released together with KDE 3.1
+  - released together with KDE 3.1 RC3
   - bugfixes:
     - Selector combo was disabled when inserting a new CSS
--- quanta/quanta/plugins/quantacmdplugin.cpp   1.9.2.1:
@@ -74,7 +74,11 @@ bool QuantaCmdPlugin::load()
     return FALSE;
 
+// Still using KShellProcess to keep it runnable under KDE 3.0.x
   m_process = new KShellProcess;
 
   QString args = arguments();
+  if (!args.isEmpty())
+     args = KShellProcess::quote(args);
+  
 
   /* TODO
@@ -87,5 +91,5 @@ bool QuantaCmdPlugin::load()
   if(loc.isEmpty())
   {
-    const char *fn = QFile::encodeName(fileName());
+    QString fn = fileName();
     KStandardDirs *dirs = QuantaCommon::pluginDirs("exe");
     loc = dirs->findResource("exe", fn);
@@ -101,10 +105,10 @@ bool QuantaCmdPlugin::load()
   {
     QString kon = locate("exe", "konsole");
-    *m_process << kon << "-e" << loc;
+    *m_process << kon << "-e " << KShellProcess::quote(loc);
     *m_process << args; // FIXME : Do we need to tokenize arguments here?
   }
   else if(ow == i18n("Message Window"))
   {
-    *m_process << loc << args;
+    *m_process << KShellProcess::quote(loc) << args;
   }
   else

[prev in list] [next in list] [prev in thread] [next in thread]