[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    kdebase/kicker/buttons
From:       Dirk Mueller <mueller () kde ! org>
Date:       2003-09-19 18:08:35
[Download RAW message or body]

CVS commit by mueller: 

security fix: don't execute filename that was dropped on the button.


  M +3 -2      nonkdeappbutton.cpp   1.8


--- kdebase/kicker/buttons/nonkdeappbutton.cpp  #1.7:1.8
@@ -30,4 +30,5 @@ CONNECTION WITH THE SOFTWARE OR THE USE 
 #include <kglobal.h>
 #include <krun.h>
+#include <kprocess.h>
 #include <kmessagebox.h>
 #include <klocale.h>
@@ -103,8 +104,8 @@ void NonKDEAppButton::dropEvent(QDropEve
         KDesktopFile deskFile(url.path());
         deskFile.setDesktopGroup();
-        execStr += deskFile.readURL() + " ";
+        execStr += KProcess::quote(deskFile.readURL()) + " ";
       }
       else
-        execStr += url.path() + " ";
+        execStr += KProcess::quote(url.path()) + " ";
     }
     bool result;


[prev in list] [next in list] [prev in thread] [next in thread]