'Re: Path check in kdelibs/plasma/package.cpp ?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-core-devel
Subject:    Re: Path check in kdelibs/plasma/package.cpp ?
From:       "Aaron J. Seigo" <aseigo () kde ! org>
Date:       2009-01-05 18:22:36
Message-ID: 200901051122.36603.aseigo () kde ! org
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


On Sunday 04 January 2009, Frank Wilson wrote:
> I've been trying out kde 4.2 beta 2 and I have an issue with the way
> different wallpapers are loaded.

this really belongs on plasma-devel@kde.org, but we're here now =)

> I have two questions about this. Firstly, is there some cmake option
> that would allow this check to pass?

no.

> Secondly, what is the purpose of this check?

so that you can't get the user to install a package but then access files all 
over the system via the package. imagine a package that comes in over the 
internet and has a symlink to say some sensitive system or user file (say .. 
your address book), and then requests that file to be sent back over the 
internet somewhere. holy security hole!

in this case, i suppose what we ought to do is make sure that d->basePath is 
canonicalized as well.

does the attached patch, which applies to kdelibs/plasma/, fix it for you?

-- 
Aaron J. Seigo
humru othro a kohnu se
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA  EE75 D6B7 2EB1 A7F1 DB43

KDE core developer sponsored by Qt Software


["canonical_basepath.diff" (text/x-patch)]

Index: package.cpp
===================================================================
--- package.cpp	(revision 904776)
+++ package.cpp	(working copy)
@@ -51,9 +51,14 @@
           basePath(p),
           valid(QFile::exists(basePath))
     {
-        QFileInfo info(basePath);
-        if (valid && info.isDir() && basePath[basePath.length() - 1] != '/') {
-            basePath.append('/');
+        if (valid) {
+            QDir dir(basePath);
+            basePath = dir.canonicalPath();
+
+            QFileInfo info(basePath);
+            if (info.isDir()) {
+                basePath.append(QDir::separator());
+            }
         }
     }
 

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic