File kdelibs-CVE-2019-14744.patch of Package kdelibs3
From 1074eb033654bd5462677ffe694eda7805390284 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= <slavek.banko@axis.cz>
Date: Thu, 8 Aug 2019 02:45:03 +0200
Subject: [PATCH] Security: remove support for $(...) in config keys with [$e]
marker.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
It is very unclear at this point what a valid use case for this feature
would possibly be. The old documentation only mentions $(hostname) as
an example, which can be done with $HOSTNAME instead.
Note that $(...) is still supported in Exec lines of desktop files,
this does not require [$e] anyway (and actually works better without it,
otherwise the $ signs need to be doubled to obey tdeconfig $e escaping rules...).
Based on KDE Frameworks 5 kconfig patch for CVE-2019-14744.
This resolves issue #45.
Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
---
tdecore/README.kiosk | 12 ------------
tdecore/tdeconfigbase.cpp | 21 +--------------------
2 files changed, 1 insertion(+), 32 deletions(-)
diff --git a/kdecore/README.kiosk b/kdecore/README.kiosk
index 826fc6da..ae4f72d4 100644
--- a/kdecore/README.kiosk
+++ b/kdecore/README.kiosk
@@ -642,18 +642,6 @@ The following syntax is also supported:
Name[$ei]=${USER}
-Shell Commands in KDE config files.
-===================================
-
-In KDE3.1 arbitrary entries in configuration files can contain shell
-commands. This way the value of a configuration entry can be determined
-dynamically at runtime. In order to use this the entry must be marked
-with [$e].
-
-Example:
-Host[$e]=$(hostname)
-
-
KDE3 Kiosk Application API
==========================
diff --git a/kdecore/kconfigbase.cpp b/kdecore/kconfigbase.cpp
index 1e8310a7..340afdfe 100644
--- a/kdecore/kconfigbase.cpp
+++ b/kdecore/kconfigbase.cpp
@@ -276,26 +276,7 @@ QString TDEConfigBase::readEntry( const char *pKey,
while( nDollarPos != -1 && nDollarPos+1 < static_cast<int>(aValue.length())) {
// there is at least one $
- if( (aValue)[nDollarPos+1] == '(' ) {
- uint nEndPos = nDollarPos+1;
- // the next character is no $
- while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=')') )
- nEndPos++;
- nEndPos++;
- QString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 );
-
- QString result;
- FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
- if (fs)
- {
- {
- QTextStream ts(fs, IO_ReadOnly);
- result = ts.read().stripWhiteSpace();
- }
- pclose(fs);
- }
- aValue.replace( nDollarPos, nEndPos-nDollarPos, result );
- } else if( (aValue)[nDollarPos+1] != '$' ) {
+ if( (aValue)[nDollarPos+1] != '$' ) {
uint nEndPos = nDollarPos+1;
// the next character is no $
QString aVarName;