Patch kommander to not execute scripts from possibly untrusted locations

without confirmation. Security: Fixes CAN-2005-0754
svn path=/head/; revision=133904
2024-10-22 20:41:26 +00:00 · 2005-04-22 03:34:26 +00:00 · 2005-04-22 03:34:26 +00:00 · 562d2beb15 · 2021-03-31 03:12:20 +00:00
commit 562d2beb15
parent 1f0d576118
4 changed files with 88 additions and 0 deletions
--- a/www/kdewebdev/Makefile
+++ b/www/kdewebdev/Makefile
@ -7,6 +7,7 @@

 PORTNAME=	kdewebdev
 PORTVERSION=	${KDE_VERSION}
+PORTREVISION=	1
 PORTEPOCH=	2
 CATEGORIES=	www kde
 MASTER_SITES=	${MASTER_SITE_KDE}
--- a/www/kdewebdev/files/patch-post-3.4.0-kdewebdev-kommander
+++ b/www/kdewebdev/files/patch-post-3.4.0-kdewebdev-kommander
@ -0,0 +1,43 @@
+Index: kommander/executor/instance.cpp
+===================================================================
+RCS file: /home/kde/kdewebdev/kommander/executor/instance.cpp,v
+retrieving revision 1.49
+retrieving revision 1.49.2.3
+diff -u -3 -d -p -r1.49 -r1.49.2.3
+--- kommander/executor/instance.cpp	29 Dec 2004 09:58:46 -0000	1.49
+++ kommander/executor/instance.cpp	17 Apr 2005 08:56:01 -0000	1.49.2.3
+@@ -131,6 +131,14 @@ bool Instance::build(QFile *a_file)
+ 
+ bool Instance::run(QFile *a_file)
+ {
+  // Check whether extension is *.kmdr
+  if (!m_uiFileName.fileName().endsWith(".kmdr")) {
+    KMessageBox::error(0, i18n("<qt>This file does not have a <b>.kmdr</b> extension. As a security precaution "
+           "Kommander will only run Kommander scripts with a clear identity.</qt>"),
+           i18n("Wrong Extension"));
+    return false;
+  }
+
+   /* add runtime arguments */
+   if (m_cmdArguments) {
+     QString args;
+@@ -144,8 +152,17 @@ bool Instance::run(QFile *a_file)
+   }
+   KommanderWidget::setGlobal("ARGCOUNT", QString("%1").arg(m_cmdArguments));
+     
+-  if (m_uiFileName.directory().startsWith(locateLocal("tmp", "") + "/") ||
+-      m_uiFileName.directory().startsWith("/tmp/"))
+  QStringList tmpDirs = KGlobal::dirs()->resourceDirs("tmp");
+  tmpDirs += KGlobal::dirs()->resourceDirs("cache");
+  tmpDirs.append("/tmp/");
+  tmpDirs.append("/var/tmp/");
+  
+  bool inTemp = false;
+  for (QStringList::ConstIterator I = tmpDirs.begin(); I != tmpDirs.end(); ++I)
+  if (m_uiFileName.directory().startsWith(*I))
+      inTemp = true;
+        
+  if (inTemp)
+   {
+      if (KMessageBox::warningYesNo(0, i18n("<qt>This dialog is running from your <i>/tmp</i> directory. "
+          " This may mean that it was run from a KMail attachment or from a webpage. "
--- a/www/kdewebdev4/Makefile
+++ b/www/kdewebdev4/Makefile
@ -7,6 +7,7 @@

 PORTNAME=	kdewebdev
 PORTVERSION=	${KDE_VERSION}
+PORTREVISION=	1
 PORTEPOCH=	2
 CATEGORIES=	www kde
 MASTER_SITES=	${MASTER_SITE_KDE}
--- a/www/kdewebdev4/files/patch-post-3.4.0-kdewebdev-kommander
+++ b/www/kdewebdev4/files/patch-post-3.4.0-kdewebdev-kommander
@ -0,0 +1,43 @@
+Index: kommander/executor/instance.cpp
+===================================================================
+RCS file: /home/kde/kdewebdev/kommander/executor/instance.cpp,v
+retrieving revision 1.49
+retrieving revision 1.49.2.3
+diff -u -3 -d -p -r1.49 -r1.49.2.3
+--- kommander/executor/instance.cpp	29 Dec 2004 09:58:46 -0000	1.49
+++ kommander/executor/instance.cpp	17 Apr 2005 08:56:01 -0000	1.49.2.3
+@@ -131,6 +131,14 @@ bool Instance::build(QFile *a_file)
+ 
+ bool Instance::run(QFile *a_file)
+ {
+  // Check whether extension is *.kmdr
+  if (!m_uiFileName.fileName().endsWith(".kmdr")) {
+    KMessageBox::error(0, i18n("<qt>This file does not have a <b>.kmdr</b> extension. As a security precaution "
+           "Kommander will only run Kommander scripts with a clear identity.</qt>"),
+           i18n("Wrong Extension"));
+    return false;
+  }
+
+   /* add runtime arguments */
+   if (m_cmdArguments) {
+     QString args;
+@@ -144,8 +152,17 @@ bool Instance::run(QFile *a_file)
+   }
+   KommanderWidget::setGlobal("ARGCOUNT", QString("%1").arg(m_cmdArguments));
+     
+-  if (m_uiFileName.directory().startsWith(locateLocal("tmp", "") + "/") ||
+-      m_uiFileName.directory().startsWith("/tmp/"))
+  QStringList tmpDirs = KGlobal::dirs()->resourceDirs("tmp");
+  tmpDirs += KGlobal::dirs()->resourceDirs("cache");
+  tmpDirs.append("/tmp/");
+  tmpDirs.append("/var/tmp/");
+  
+  bool inTemp = false;
+  for (QStringList::ConstIterator I = tmpDirs.begin(); I != tmpDirs.end(); ++I)
+  if (m_uiFileName.directory().startsWith(*I))
+      inTemp = true;
+        
+  if (inTemp)
+   {
+      if (KMessageBox::warningYesNo(0, i18n("<qt>This dialog is running from your <i>/tmp</i> directory. "
+          " This may mean that it was run from a KMail attachment or from a webpage. "