From kde-core-devel Mon Jan 05 18:22:36 2009 From: "Aaron J. Seigo" Date: Mon, 05 Jan 2009 18:22:36 +0000 To: kde-core-devel Subject: Re: Path check in kdelibs/plasma/package.cpp ? Message-Id: <200901051122.36603.aseigo () kde ! org> X-MARC-Message: https://marc.info/?l=kde-core-devel&m=123117981529236 MIME-Version: 1 Content-Type: multipart/mixed; boundary="--nextPart9189561.GxItkH8rNE" --nextPart9189561.GxItkH8rNE Content-Type: multipart/mixed; boundary="Boundary-01=_s/kYJArP73FowdW" Content-Transfer-Encoding: 7bit Content-Disposition: inline --Boundary-01=_s/kYJArP73FowdW Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 04 January 2009, Frank Wilson wrote: > I've been trying out kde 4.2 beta 2 and I have an issue with the way > different wallpapers are loaded. this really belongs on plasma-devel@kde.org, but we're here now =3D) > I have two questions about this. Firstly, is there some cmake option > that would allow this check to pass? no. > Secondly, what is the purpose of this check? so that you can't get the user to install a package but then access files a= ll=20 over the system via the package. imagine a package that comes in over the=20 internet and has a symlink to say some sensitive system or user file (say .= =2E=20 your address book), and then requests that file to be sent back over the=20 internet somewhere. holy security hole! in this case, i suppose what we ought to do is make sure that d->basePath i= s=20 canonicalized as well. does the attached patch, which applies to kdelibs/plasma/, fix it for you? =2D-=20 Aaron J. Seigo humru othro a kohnu se GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA EE75 D6B7 2EB1 A7F1 DB43 KDE core developer sponsored by Qt Software --Boundary-01=_s/kYJArP73FowdW Content-Type: text/x-patch; charset="UTF-8"; name="canonical_basepath.diff" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="canonical_basepath.diff" Index: package.cpp =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D =2D-- package.cpp (revision 904776) +++ package.cpp (working copy) @@ -51,9 +51,14 @@ basePath(p), valid(QFile::exists(basePath)) { =2D QFileInfo info(basePath); =2D if (valid && info.isDir() && basePath[basePath.length() - 1] != =3D '/') { =2D basePath.append('/'); + if (valid) { + QDir dir(basePath); + basePath =3D dir.canonicalPath(); + + QFileInfo info(basePath); + if (info.isDir()) { + basePath.append(QDir::separator()); + } } } =20 --Boundary-01=_s/kYJArP73FowdW-- --nextPart9189561.GxItkH8rNE Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEABECAAYFAkliT+wACgkQ1rcusafx20NdQgCdEDUf/7tBpi1WceIaJIlEGLKG QLYAnRsCNAD6tn5er+PYOAR0IBZD7jR3 =aUW8 -----END PGP SIGNATURE----- --nextPart9189561.GxItkH8rNE--