diff options
author | Michael Nottebrock <lofi@FreeBSD.org> | 2005-04-22 03:34:26 +0000 |
---|---|---|
committer | Michael Nottebrock <lofi@FreeBSD.org> | 2005-04-22 03:34:26 +0000 |
commit | 562d2beb157c280e23e8fec1249f1ddc1fc063ca (patch) | |
tree | a87f856fe65708d77f8036a1d8a259b3ef9da325 /www/kdewebdev | |
parent | 1f0d576118564da6b96fac8a0693f1f80aba035f (diff) |
Patch kommander to not execute scripts from possibly untrusted locations
without confirmation.
Security: Fixes CAN-2005-0754
Notes
Notes:
svn path=/head/; revision=133904
Diffstat (limited to 'www/kdewebdev')
-rw-r--r-- | www/kdewebdev/Makefile | 1 | ||||
-rw-r--r-- | www/kdewebdev/files/patch-post-3.4.0-kdewebdev-kommander | 43 |
2 files changed, 44 insertions, 0 deletions
diff --git a/www/kdewebdev/Makefile b/www/kdewebdev/Makefile index f81aa6b56a28..efecbe45be04 100644 --- a/www/kdewebdev/Makefile +++ b/www/kdewebdev/Makefile @@ -7,6 +7,7 @@ PORTNAME= kdewebdev PORTVERSION= ${KDE_VERSION} +PORTREVISION= 1 PORTEPOCH= 2 CATEGORIES= www kde MASTER_SITES= ${MASTER_SITE_KDE} diff --git a/www/kdewebdev/files/patch-post-3.4.0-kdewebdev-kommander b/www/kdewebdev/files/patch-post-3.4.0-kdewebdev-kommander new file mode 100644 index 000000000000..78f6aecad8cb --- /dev/null +++ b/www/kdewebdev/files/patch-post-3.4.0-kdewebdev-kommander @@ -0,0 +1,43 @@ +Index: kommander/executor/instance.cpp +=================================================================== +RCS file: /home/kde/kdewebdev/kommander/executor/instance.cpp,v +retrieving revision 1.49 +retrieving revision 1.49.2.3 +diff -u -3 -d -p -r1.49 -r1.49.2.3 +--- kommander/executor/instance.cpp 29 Dec 2004 09:58:46 -0000 1.49 ++++ kommander/executor/instance.cpp 17 Apr 2005 08:56:01 -0000 1.49.2.3 +@@ -131,6 +131,14 @@ bool Instance::build(QFile *a_file) + + bool Instance::run(QFile *a_file) + { ++ // Check whether extension is *.kmdr ++ if (!m_uiFileName.fileName().endsWith(".kmdr")) { ++ KMessageBox::error(0, i18n("<qt>This file does not have a <b>.kmdr</b> extension. As a security precaution " ++ "Kommander will only run Kommander scripts with a clear identity.</qt>"), ++ i18n("Wrong Extension")); ++ return false; ++ } ++ + /* add runtime arguments */ + if (m_cmdArguments) { + QString args; +@@ -144,8 +152,17 @@ bool Instance::run(QFile *a_file) + } + KommanderWidget::setGlobal("ARGCOUNT", QString("%1").arg(m_cmdArguments)); + +- if (m_uiFileName.directory().startsWith(locateLocal("tmp", "") + "/") || +- m_uiFileName.directory().startsWith("/tmp/")) ++ QStringList tmpDirs = KGlobal::dirs()->resourceDirs("tmp"); ++ tmpDirs += KGlobal::dirs()->resourceDirs("cache"); ++ tmpDirs.append("/tmp/"); ++ tmpDirs.append("/var/tmp/"); ++ ++ bool inTemp = false; ++ for (QStringList::ConstIterator I = tmpDirs.begin(); I != tmpDirs.end(); ++I) ++ if (m_uiFileName.directory().startsWith(*I)) ++ inTemp = true; ++ ++ if (inTemp) + { + if (KMessageBox::warningYesNo(0, i18n("<qt>This dialog is running from your <i>/tmp</i> directory. " + " This may mean that it was run from a KMail attachment or from a webpage. " |