[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-commits
Subject:    quanta [POSSIBLY UNSAFE]
From:       Andras Mantia <amantia () freemail ! hu>
Date:       2002-12-08 10:01:09
[Download RAW message or body]

CVS commit by amantia: 

Security fix; execution of command line type plugins fixed.


  M +1 -0      ChangeLog   1.99
  M +9 -6      quanta/plugins/quantacmdplugin.cpp   1.10 [POSSIBLY UNSAFE: setUseShell]
  M +1 -1      quanta/plugins/quantakpartplugin.cpp   1.12


--- quanta/ChangeLog   1.99:
@@ -16,4 +16,5 @@ Verions 3.2-CVS-1 (Release Date: xx-xx-2
       correctly on the next startup of Quanta, slowing it down
     - autoselect the renamed files in the Upload Project dialog
+    - security fixes
   - synched the File and Grep dialog code with Kate
   - learning of unknown, user entered tags (and functions)
--- quanta/quanta/plugins/quantacmdplugin.cpp   1.10:
@@ -74,7 +74,10 @@ bool QuantaCmdPlugin::load()
     return FALSE;
 
-  m_process = new KShellProcess;
+  m_process = new KProcess;
+  m_process->setUseShell(true);
 
   QString args = arguments();
+  if (!args.isEmpty())
+     args = KProcess::quote(args);
 
   /* TODO
@@ -87,5 +90,5 @@ bool QuantaCmdPlugin::load()
   if(loc.isEmpty())
   {
-    const char *fn = QFile::encodeName(fileName());
+    QString fn = fileName();
     KStandardDirs *dirs = QuantaCommon::pluginDirs("exe");
     loc = dirs->findResource("exe", fn);
@@ -101,10 +104,10 @@ bool QuantaCmdPlugin::load()
   {
     QString kon = locate("exe", "konsole");
-    *m_process << kon << "-e" << loc;
+    *m_process << kon << "-e " << KProcess::quote(loc);
     *m_process << args; // FIXME : Do we need to tokenize arguments here?
   }
   else if(ow == i18n("Message Window"))
   {
-    *m_process << loc << args;
+    *m_process << KProcess::quote(loc) << args;
   }
   else

[prev in list] [next in list] [prev in thread] [next in thread]