From kde-commits  Mon Dec 09 01:46:31 2002
From: Oswald Buddenhagen <ossi () kde ! org>
Date: Mon, 09 Dec 2002 01:46:31 +0000
To: kde-commits
Subject: Re: quanta/quanta/plugins [POSSIBLY UNSAFE]
X-MARC-Message: https://marc.info/?l=kde-commits&m=103939848911844

On Sun, Dec 08, 2002 at 11:46:52AM +0100, Andras Mantia wrote:
> CVS commit by amantia: 
> 
> Handle multiple arguments a little better.
> 
> --- quanta/quanta/plugins/quantacmdplugin.cpp   1.11:
> @@ -79,5 +79,14 @@ bool QuantaCmdPlugin::load()
>    QString args = arguments();
>    if (!args.isEmpty())
> -     args = KProcess::quote(args);
> +  {
> +    //FIXME: This will not work if the arguments contain spaces, but will
> +    //do it for now, until the plugin system is corrected
> +    QStringList argsList = QStringList::split(" ", args);
> +    args = "";
> +    for (uint i = 0; i < argsList.count(); i++)
> +    {
> +      args += KProcess::quote(argsList[i])+" ";
> +    }
> +  }
>  
this looks half-baked.
either you trust your input and therefore expect it to be properly
quoted or you don't trust it and expect it to be already a QStringList
whose entries should be quoted as a whole.
with the current implementation you prevent properly quoted strings from
being treated as such. so if this is not security-relevant (usually it
makes sense to trust the own user), it would be sensible to revert this
to no quoting at all.

greetings

-- 
Hi! I'm a .signature virus! Copy me into your ~/.signature, please!
--
Chaos, panic, and disorder - my work here is done.