diff options
author | lofi <lofi@FreeBSD.org> | 2005-04-22 11:34:26 +0800 |
---|---|---|
committer | lofi <lofi@FreeBSD.org> | 2005-04-22 11:34:26 +0800 |
commit | 9360236ed8988b43f9274691b35b17655fcfcc81 (patch) | |
tree | a54f5a1089c6476a5993c764a6586e9d0400abfd /www | |
parent | b24d9efcc014b871cb862370348c7c28ee4c1699 (diff) | |
download | freebsd-ports-gnome-9360236ed8988b43f9274691b35b17655fcfcc81.tar.gz freebsd-ports-gnome-9360236ed8988b43f9274691b35b17655fcfcc81.tar.zst freebsd-ports-gnome-9360236ed8988b43f9274691b35b17655fcfcc81.zip |
Patch kommander to not execute scripts from possibly untrusted locations
without confirmation.
Security: Fixes CAN-2005-0754
Diffstat (limited to 'www')
-rw-r--r-- | www/kdewebdev/Makefile | 1 | ||||
-rw-r--r-- | www/kdewebdev/files/patch-post-3.4.0-kdewebdev-kommander | 43 | ||||
-rw-r--r-- | www/kdewebdev4/Makefile | 1 | ||||
-rw-r--r-- | www/kdewebdev4/files/patch-post-3.4.0-kdewebdev-kommander | 43 |
4 files changed, 88 insertions, 0 deletions
diff --git a/www/kdewebdev/Makefile b/www/kdewebdev/Makefile index f81aa6b56a28..efecbe45be04 100644 --- a/www/kdewebdev/Makefile +++ b/www/kdewebdev/Makefile @@ -7,6 +7,7 @@ PORTNAME= kdewebdev PORTVERSION= ${KDE_VERSION} +PORTREVISION= 1 PORTEPOCH= 2 CATEGORIES= www kde MASTER_SITES= ${MASTER_SITE_KDE} diff --git a/www/kdewebdev/files/patch-post-3.4.0-kdewebdev-kommander b/www/kdewebdev/files/patch-post-3.4.0-kdewebdev-kommander new file mode 100644 index 000000000000..78f6aecad8cb --- /dev/null +++ b/www/kdewebdev/files/patch-post-3.4.0-kdewebdev-kommander @@ -0,0 +1,43 @@ +Index: kommander/executor/instance.cpp +=================================================================== +RCS file: /home/kde/kdewebdev/kommander/executor/instance.cpp,v +retrieving revision 1.49 +retrieving revision 1.49.2.3 +diff -u -3 -d -p -r1.49 -r1.49.2.3 +--- kommander/executor/instance.cpp 29 Dec 2004 09:58:46 -0000 1.49 ++++ kommander/executor/instance.cpp 17 Apr 2005 08:56:01 -0000 1.49.2.3 +@@ -131,6 +131,14 @@ bool Instance::build(QFile *a_file) + + bool Instance::run(QFile *a_file) + { ++ // Check whether extension is *.kmdr ++ if (!m_uiFileName.fileName().endsWith(".kmdr")) { ++ KMessageBox::error(0, i18n("<qt>This file does not have a <b>.kmdr</b> extension. As a security precaution " ++ "Kommander will only run Kommander scripts with a clear identity.</qt>"), ++ i18n("Wrong Extension")); ++ return false; ++ } ++ + /* add runtime arguments */ + if (m_cmdArguments) { + QString args; +@@ -144,8 +152,17 @@ bool Instance::run(QFile *a_file) + } + KommanderWidget::setGlobal("ARGCOUNT", QString("%1").arg(m_cmdArguments)); + +- if (m_uiFileName.directory().startsWith(locateLocal("tmp", "") + "/") || +- m_uiFileName.directory().startsWith("/tmp/")) ++ QStringList tmpDirs = KGlobal::dirs()->resourceDirs("tmp"); ++ tmpDirs += KGlobal::dirs()->resourceDirs("cache"); ++ tmpDirs.append("/tmp/"); ++ tmpDirs.append("/var/tmp/"); ++ ++ bool inTemp = false; ++ for (QStringList::ConstIterator I = tmpDirs.begin(); I != tmpDirs.end(); ++I) ++ if (m_uiFileName.directory().startsWith(*I)) ++ inTemp = true; ++ ++ if (inTemp) + { + if (KMessageBox::warningYesNo(0, i18n("<qt>This dialog is running from your <i>/tmp</i> directory. " + " This may mean that it was run from a KMail attachment or from a webpage. " diff --git a/www/kdewebdev4/Makefile b/www/kdewebdev4/Makefile index f81aa6b56a28..efecbe45be04 100644 --- a/www/kdewebdev4/Makefile +++ b/www/kdewebdev4/Makefile @@ -7,6 +7,7 @@ PORTNAME= kdewebdev PORTVERSION= ${KDE_VERSION} +PORTREVISION= 1 PORTEPOCH= 2 CATEGORIES= www kde MASTER_SITES= ${MASTER_SITE_KDE} diff --git a/www/kdewebdev4/files/patch-post-3.4.0-kdewebdev-kommander b/www/kdewebdev4/files/patch-post-3.4.0-kdewebdev-kommander new file mode 100644 index 000000000000..78f6aecad8cb --- /dev/null +++ b/www/kdewebdev4/files/patch-post-3.4.0-kdewebdev-kommander @@ -0,0 +1,43 @@ +Index: kommander/executor/instance.cpp +=================================================================== +RCS file: /home/kde/kdewebdev/kommander/executor/instance.cpp,v +retrieving revision 1.49 +retrieving revision 1.49.2.3 +diff -u -3 -d -p -r1.49 -r1.49.2.3 +--- kommander/executor/instance.cpp 29 Dec 2004 09:58:46 -0000 1.49 ++++ kommander/executor/instance.cpp 17 Apr 2005 08:56:01 -0000 1.49.2.3 +@@ -131,6 +131,14 @@ bool Instance::build(QFile *a_file) + + bool Instance::run(QFile *a_file) + { ++ // Check whether extension is *.kmdr ++ if (!m_uiFileName.fileName().endsWith(".kmdr")) { ++ KMessageBox::error(0, i18n("<qt>This file does not have a <b>.kmdr</b> extension. As a security precaution " ++ "Kommander will only run Kommander scripts with a clear identity.</qt>"), ++ i18n("Wrong Extension")); ++ return false; ++ } ++ + /* add runtime arguments */ + if (m_cmdArguments) { + QString args; +@@ -144,8 +152,17 @@ bool Instance::run(QFile *a_file) + } + KommanderWidget::setGlobal("ARGCOUNT", QString("%1").arg(m_cmdArguments)); + +- if (m_uiFileName.directory().startsWith(locateLocal("tmp", "") + "/") || +- m_uiFileName.directory().startsWith("/tmp/")) ++ QStringList tmpDirs = KGlobal::dirs()->resourceDirs("tmp"); ++ tmpDirs += KGlobal::dirs()->resourceDirs("cache"); ++ tmpDirs.append("/tmp/"); ++ tmpDirs.append("/var/tmp/"); ++ ++ bool inTemp = false; ++ for (QStringList::ConstIterator I = tmpDirs.begin(); I != tmpDirs.end(); ++I) ++ if (m_uiFileName.directory().startsWith(*I)) ++ inTemp = true; ++ ++ if (inTemp) + { + if (KMessageBox::warningYesNo(0, i18n("<qt>This dialog is running from your <i>/tmp</i> directory. " + " This may mean that it was run from a KMail attachment or from a webpage. " |