> this really belongs on plasma-devel@kde.org, but we're here now =)

Sorry, I'll be more careful to find the appropriate mailing list next
time. :s

> so that you can't get the user to install a package but then access files all 
> over the system via the package. imagine a package that comes in over the 
> internet and has a symlink to say some sensitive system or user file (say .. 
> your address book), and then requests that file to be sent back over the 
> internet somewhere. holy security hole!

I think I understand your point about security.

> in this case, i suppose what we ought to do is make sure that d->basePath is 
> canonicalized as well.
> 
> does the attached patch, which applies to kdelibs/plasma/, fix it for you?

Thanks for the patch! It seems to resolve the issue for me, I hope you
can integrate it into the final 4.2 release! :) .

Thanks,

Frank Wilson