diff options
| author | Slávek Banko <[email protected]> | 2019-08-08 02:45:03 +0200 |
|---|---|---|
| committer | Slávek Banko <[email protected]> | 2019-08-09 02:31:54 +0200 |
| commit | b992188d7d47c248907fe0fbcc62c6bdfd79cc0c (patch) | |
| tree | 42881a1b00ad1eac1aa864a8548405b9b149705e | |
| parent | 299fc401b139e105abb142c93a493065e8e8dcf1 (diff) | |
| download | tdelibs-b992188d7d47c248907fe0fbcc62c6bdfd79cc0c.tar.gz tdelibs-b992188d7d47c248907fe0fbcc62c6bdfd79cc0c.zip | |
Security: remove support for $(...) in config keys with [$e] marker.
It is very unclear at this point what a valid use case for this feature
would possibly be. The old documentation only mentions $(hostname) as
an example, which can be done with $HOSTNAME instead.
Note that $(...) is still supported in Exec lines of desktop files,
this does not require [$e] anyway (and actually works better without it,
otherwise the $ signs need to be doubled to obey tdeconfig $e escaping rules...).
Based on KDE Frameworks 5 kconfig patch for CVE-2019-14744.
This resolves issue #45.
Signed-off-by: Slávek Banko <[email protected]>
(cherry picked from commit 1074eb033654bd5462677ffe694eda7805390284)
| -rw-r--r-- | tdecore/README.kiosk | 12 | ||||
| -rw-r--r-- | tdecore/tdeconfigbase.cpp | 21 |
2 files changed, 1 insertions, 32 deletions
diff --git a/tdecore/README.kiosk b/tdecore/README.kiosk index 826fc6da6..ae4f72d47 100644 --- a/tdecore/README.kiosk +++ b/tdecore/README.kiosk @@ -642,18 +642,6 @@ The following syntax is also supported: Name[$ei]=${USER} -Shell Commands in KDE config files. -=================================== - -In KDE3.1 arbitrary entries in configuration files can contain shell -commands. This way the value of a configuration entry can be determined -dynamically at runtime. In order to use this the entry must be marked -with [$e]. - -Example: -Host[$e]=$(hostname) - - KDE3 Kiosk Application API ========================== diff --git a/tdecore/tdeconfigbase.cpp b/tdecore/tdeconfigbase.cpp index e8d384dbe..944ca646f 100644 --- a/tdecore/tdeconfigbase.cpp +++ b/tdecore/tdeconfigbase.cpp @@ -276,26 +276,7 @@ TQString TDEConfigBase::readEntry( const char *pKey, while( nDollarPos != -1 && nDollarPos+1 < static_cast<int>(aValue.length())) { // there is at least one $ - if( (aValue)[nDollarPos+1] == '(' ) { - uint nEndPos = nDollarPos+1; - // the next character is no $ - while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=')') ) - nEndPos++; - nEndPos++; - TQString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 ); - - TQString result; - FILE *fs = popen(TQFile::encodeName(cmd).data(), "r"); - if (fs) - { - { - TQTextStream ts(fs, IO_ReadOnly); - result = ts.read().stripWhiteSpace(); - } - pclose(fs); - } - aValue.replace( nDollarPos, nEndPos-nDollarPos, result ); - } else if( (aValue)[nDollarPos+1] != '$' ) { + if( (aValue)[nDollarPos+1] != '$' ) { uint nEndPos = nDollarPos+1; // the next character is no $ TQString aVarName; |