Overview

File kdelibs-CVE-2019-14744.patch of Package kdelibs3

From 1074eb033654bd5462677ffe694eda7805390284 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sl=C3=A1vek=20Banko?= <slavek.banko@axis.cz>
Date: Thu, 8 Aug 2019 02:45:03 +0200
Subject: [PATCH] Security: remove support for $(...) in config keys with [$e]
 marker.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It is very unclear at this point what a valid use case for this feature
would possibly be. The old documentation only mentions $(hostname) as
an example, which can be done with $HOSTNAME instead.

Note that $(...) is still supported in Exec lines of desktop files,
this does not require [$e] anyway (and actually works better without it,
otherwise the $ signs need to be doubled to obey tdeconfig $e escaping rules...).

Based on KDE Frameworks 5 kconfig patch for CVE-2019-14744.
This resolves issue #45.

Signed-off-by: Slávek Banko <slavek.banko@axis.cz>
---
 tdecore/README.kiosk      | 12 ------------
 tdecore/tdeconfigbase.cpp | 21 +--------------------
 2 files changed, 1 insertion(+), 32 deletions(-)

diff --git a/kdecore/README.kiosk b/kdecore/README.kiosk
index 826fc6da..ae4f72d4 100644
--- a/kdecore/README.kiosk
+++ b/kdecore/README.kiosk
@@ -642,18 +642,6 @@ The following syntax is also supported:
 Name[$ei]=${USER}
 
 
-Shell Commands in KDE config files.
-===================================
-
-In KDE3.1 arbitrary entries in configuration files can contain shell 
-commands. This way the value of a configuration entry can be determined
-dynamically at runtime. In order to use this the entry must be marked 
-with [$e]. 
-
-Example:
-Host[$e]=$(hostname)
-
-
 KDE3 Kiosk Application API
 ==========================
 
diff --git a/kdecore/kconfigbase.cpp b/kdecore/kconfigbase.cpp
index 1e8310a7..340afdfe 100644
--- a/kdecore/kconfigbase.cpp
+++ b/kdecore/kconfigbase.cpp
@@ -276,26 +276,7 @@ QString TDEConfigBase::readEntry( const char *pKey,
 
       while( nDollarPos != -1 && nDollarPos+1 < static_cast<int>(aValue.length())) {
         // there is at least one $
-        if( (aValue)[nDollarPos+1] == '(' ) {
-          uint nEndPos = nDollarPos+1;
-          // the next character is no $
-          while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=')') )
-              nEndPos++;
-          nEndPos++;
-          QString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 );
-
-          QString result;
-          FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
-          if (fs)
-          {
-             {
-             QTextStream ts(fs, IO_ReadOnly);
-             result = ts.read().stripWhiteSpace();
-             }
-             pclose(fs);
-          }
-          aValue.replace( nDollarPos, nEndPos-nDollarPos, result );
-        } else if( (aValue)[nDollarPos+1] != '$' ) {
+        if( (aValue)[nDollarPos+1] != '$' ) {
           uint nEndPos = nDollarPos+1;
           // the next character is no $
           QString aVarName;
openSUSE Build Service is sponsored by
Places