MFH: r508481

[[ The HEAD change bumped PORTREVISION from 1 to 2, which isn't there
   in quarterly, so for simplicity I'm just skipping 1 to match the
   PORTREVISION numbers. ]]

Add patch from upstream KDE git for CVE-2019-14744

Upstream description:
 - https://kde.org/info/security/advisory-20190807-1.txt

Upstream solution:

KDE Frameworks 5 users:
- update to kconfig >= 5.61.0
- or apply the following patch to kconfig:
  https://cgit.kde.org/kconfig.git/commit/?id=5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22

kdelibs4 is also affected, but that was removed from the ports tree
over six months ago.

Security:	CVE-2019-14744

Approved by:	portmgr (miwi)

2 files changed, 140 insertions, 0 deletions

diff --git a/devel/kf5-kconfig/Makefile b/devel/kf5-kconfig/Makefile
index 1a0dece833f9..c1ab8c41d64a 100644
--- a/devel/kf5-kconfig/Makefile
+++ b/devel/kf5-kconfig/Makefile
@@ -2,6 +2,7 @@
 
 PORTNAME=	kconfig
 DISTVERSION=	${KDE_FRAMEWORKS_VERSION}
+PORTREVISION=	2
 CATEGORIES=	devel kde kde-frameworks
 
 MAINTAINER=	kde@FreeBSD.org
diff --git a/devel/kf5-kconfig/files/patch-git-5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22 b/devel/kf5-kconfig/files/patch-git-5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
new file mode 100644
index 000000000000..f348c1182926
--- /dev/null
+++ b/devel/kf5-kconfig/files/patch-git-5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
@@ -0,0 +1,139 @@
+commit 5d3e71b1d2ecd2cb2f910036e614ffdfc895aa22
+Author: David Faure <faure@kde.org>
+Date:   Wed Aug 7 09:35:36 2019 +0200
+
+    Security: remove support for $(...) in config keys with [$e] marker.
+    
+    Summary:
+    It is very unclear at this point what a valid use case for this feature
+    would possibly be. The old documentation only mentions $(hostname) as
+    an example, which can be done with $HOSTNAME instead.
+    
+    Note that $(...) is still supported in Exec lines of desktop files,
+    this does not require [$e] anyway (and actually works better without it,
+    otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...).
+    
+    Test Plan:
+    ctest passes; various testcases with $(...) in desktop files,
+    directory files, and config files, no longer execute commands.
+    
+    Reviewers: mdawson, aacid, broulik, davidedmundson, kossebau, apol, sitter, security-team
+    
+    Reviewed By: mdawson, davidedmundson
+    
+    Subscribers: ZaWertun, rikmills, fvogt, ngraham, kde-frameworks-devel
+    
+    Tags: #frameworks
+    
+    Differential Revision: https://phabricator.kde.org/D22979
+diff --git autotests/kconfigtest.cpp autotests/kconfigtest.cpp
+index 410b5b8..9af3b46 100644
+--- autotests/kconfigtest.cpp
++++ autotests/kconfigtest.cpp
+@@ -38,7 +38,7 @@
+ #include <utime.h>
+ #endif
+ #ifndef Q_OS_WIN
+-#include <unistd.h> // gethostname
++#include <unistd.h> // getuid
+ #endif
+ 
+ KCONFIGGROUP_DECLARE_ENUM_QOBJECT(KConfigTest, Testing)
+@@ -546,14 +546,8 @@ void KConfigTest::testPath()
+     QCOMPARE(group.readPathEntry("withBraces", QString()), QString("file://" + HOMEPATH));
+     QVERIFY(group.hasKey("URL"));
+     QCOMPARE(group.readEntry("URL", QString()), QString("file://" + HOMEPATH));
+-#if !defined(Q_OS_WIN32) && !defined(Q_OS_MAC)
+-    // I don't know if this will work on windows
+-    // This test hangs on OS X
+     QVERIFY(group.hasKey("hostname"));
+-    char hostname[256];
+-    QVERIFY(::gethostname(hostname, sizeof(hostname)) == 0);
+-    QCOMPARE(group.readEntry("hostname", QString()), QString::fromLatin1(hostname));
+-#endif
++    QCOMPARE(group.readEntry("hostname", QString()), QStringLiteral("(hostname)")); // the $ got removed because empty var name
+     QVERIFY(group.hasKey("noeol"));
+     QCOMPARE(group.readEntry("noeol", QString()), QString("foo"));
+ 
+diff --git docs/options.md docs/options.md
+index c634c00..4a6e9bc 100644
+--- docs/options.md
++++ docs/options.md
+@@ -67,18 +67,15 @@ environment variables (and `XDG_CONFIG_HOME` in particular).
+ Shell Expansion
+ ---------------
+ 
+-If an entry is marked with `$e`, environment variables and shell commands will
+-be expanded.
++If an entry is marked with `$e`, environment variables will be expanded.
+ 
+     Name[$e]=$USER
+-    Host[$e]=$(hostname)
+ 
+ When the "Name" entry is read `$USER` will be replaced with the value of the
+-`$USER` environment variable, and `$(hostname)` will be replaced with the output
+-of the `hostname` command.
++`$USER` environment variable.
+ 
+-Note that the application will replace `$USER` and `$(hostname)` with their
+-respective expanded values after saving. To prevent this combine the `$e` option
++Note that the application will replace `$USER` with its
++expanded value after saving. To prevent this combine the `$e` option
+ with `$i` (immmutable) option.  For example:
+ 
+     Name[$ei]=$USER
+diff --git src/core/kconfig.cpp src/core/kconfig.cpp
+index e1b11ed..f6824ce 100644
+--- src/core/kconfig.cpp
++++ src/core/kconfig.cpp
+@@ -28,19 +28,6 @@
+ #include <cstdlib>
+ #include <fcntl.h>
+ 
+-#ifdef _MSC_VER
+-static inline FILE *popen(const char *cmd, const char *mode)
+-{
+-    return _popen(cmd, mode);
+-}
+-static inline int pclose(FILE *stream)
+-{
+-    return _pclose(stream);
+-}
+-#else
+-#include <unistd.h>
+-#endif
+-
+ #include "kconfigbackend_p.h"
+ #include "kconfiggroup.h"
+ 
+@@ -183,29 +170,7 @@ QString KConfigPrivate::expandString(const QString &value)
+     int nDollarPos = aValue.indexOf(QLatin1Char('$'));
+     while (nDollarPos != -1 && nDollarPos + 1 < aValue.length()) {
+         // there is at least one $
+-        if (aValue[nDollarPos + 1] == QLatin1Char('(')) {
+-            int nEndPos = nDollarPos + 1;
+-            // the next character is not $
+-            while ((nEndPos <= aValue.length()) && (aValue[nEndPos] != QLatin1Char(')'))) {
+-                nEndPos++;
+-            }
+-            nEndPos++;
+-            QString cmd = aValue.mid(nDollarPos + 2, nEndPos - nDollarPos - 3);
+-
+-            QString result;
+-
+-// FIXME: wince does not have pipes
+-#ifndef _WIN32_WCE
+-            FILE *fs = popen(QFile::encodeName(cmd).data(), "r");
+-            if (fs) {
+-                QTextStream ts(fs, QIODevice::ReadOnly);
+-                result = ts.readAll().trimmed();
+-                pclose(fs);
+-            }
+-#endif
+-            aValue.replace(nDollarPos, nEndPos - nDollarPos, result);
+-            nDollarPos += result.length();
+-        } else if (aValue[nDollarPos + 1] != QLatin1Char('$')) {
++        if (aValue[nDollarPos + 1] != QLatin1Char('$')) {
+             int nEndPos = nDollarPos + 1;
+             // the next character is not $
+             QStringRef aVarName;