'kdenox/konq-embed/dropin'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    kdenox/konq-embed/dropin
From:       Luciano Montanaro <mikelima () cirulla ! net>
Date:       2005-04-08 9:39:02
Message-ID: 20050408093902.45CC4494 () office ! kde ! org
[Download RAW message or body]

CVS commit by montanaro: 

Implement authorization stuff.


  M +32 -3     kapplication.cpp   1.10
  M +4 -4      kapplication.h   1.13


--- kdenox/konq-embed/dropin/kapplication.cpp  #1.9:1.10
@@ -3,4 +3,5 @@
     Copyright (C) 2003 Luciano Montanaro <mikelima@cirulla.net>
     Copyright (C) 2001 Dirk Mueller <mueller@kde.org>
+    Copyright (C) 2005 Fastweb SpA
  
     This library is free software; you can redistribute it and/or
@@ -24,7 +25,10 @@
 #include "dcopclient.h"
 #include "kstandarddirs.h"
+#include "kio/kprotocolinfo.h"
 
 #include <unistd.h>
 #include <qfile.h>
+#include <qdir.h>
+
 #include <assert.h>
 
@@ -98,8 +102,8 @@ bool checkAccess(const QString& pathname
 
 
-  if (!access( QFile::encodeName(pathname), F_OK)) // if it already exists
+  if (!access(QFile::encodeName(pathname), F_OK)) // if it already exists
       return false;
 
-  //strip the filename (everything until '/' from the end
+  // strip the filename (everything until '/' from the end
   QString dirName(pathname);
   int pos = dirName.findRev('/');
@@ -110,5 +114,5 @@ bool checkAccess(const QString& pathname
 
   accessOK = access( QFile::encodeName(dirName), W_OK );
-  // -?- Can I write to the accessed diretory
+  // -?- Can I write to the accessed directory
   if ( accessOK == 0 )
     return true;  // Yes
@@ -143,4 +147,29 @@ uint KApplication::keyboardModifiers()
 }
 
+bool 
+KApplication::authorizeURLAction(const QString & action,
+                                 const KURL & _baseURL,
+                                 const KURL & _destURL)
+{
+    // Very simple authorization, for now: block access to the file: protocol,
+    // allow anything else.
+    if (_destURL.isEmpty())
+        return true;
+
+    bool result = true;
+
+    KURL baseURL(_baseURL);
+    baseURL.setPath(QDir::cleanDirPath(baseURL.path()));
+    QString baseClass = KProtocolInfo::protocolClass(baseURL.protocol());
+    KURL destURL(_destURL);
+    destURL.setPath(QDir::cleanDirPath(destURL.path()));
+    QString destClass = KProtocolInfo::protocolClass(destURL.protocol());
+
+    if (baseClass != ":local" && destClass == ":local") {
+        return false;
+    }
+
+    return result;
+}
 
 #include "kapplication.moc"

--- kdenox/konq-embed/dropin/kapplication.h  #1.12:1.13
@@ -3,4 +3,5 @@
     Copyright (C) 2003 Luciano Montanaro <mikelima@cirulla.net>
     Copyright (C) 2001 Dirk Mueller <mueller@kde.org>
+    Copyright (C) 2005 Fastweb SpA
 
     This library is free software; you can redistribute it and/or
@@ -73,7 +74,6 @@ public:
 
     // Needed by KHTML 3.1 
-    bool authorizeURLAction(const QString &, const KURL &, const KURL &) { 
-            return true; 
-    }
+    // This needs to be properly implemented, otherwise we open our box to attacks.
+    bool authorizeURLAction(const QString &, const KURL &, const KURL &);
     
     // ### extension
@@ -133,5 +133,5 @@ private:
 // ### FIXME: checkAccess copyright by Kalle!
 
-bool checkAccess( const QString &pathname, int mode);
+bool checkAccess(const QString &pathname, int mode);
 
 #endif


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic