Kommander untrusted code execution, #89092

Package-Manager: portage-2.0.51.19
author: Carsten Lohrke <carlo@gentoo.org> 2005-04-20 00:02:13 +0000
committer: Carsten Lohrke <carlo@gentoo.org> 2005-04-20 00:02:13 +0000
commit: 5a60e921953bb9117148e9b8cba3533521263900 (patch)
tree: d33e12b0ec3f731b2ac4fb7503409da86ea64c4b /kde-base/kdewebdev
parent: Untrusted code execution, #89092 (diff)
download: historical-5a60e921953bb9117148e9b8cba3533521263900.tar.gz
historical-5a60e921953bb9117148e9b8cba3533521263900.tar.bz2
historical-5a60e921953bb9117148e9b8cba3533521263900.zip
6 files changed, 113 insertions, 1 deletions
diff --git a/kde-base/kdewebdev/ChangeLog b/kde-base/kdewebdev/ChangeLog
index cb23ec74fcf1..c6bd25cbcd4c 100644
--- a/kde-base/kdewebdev/ChangeLog
+++ b/kde-base/kdewebdev/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for kde-base/kdewebdev
 # Copyright 2000-2005 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/kde-base/kdewebdev/ChangeLog,v 1.42 2005/03/18 16:40:15 morfic Exp $
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kdewebdev/ChangeLog,v 1.43 2005/04/20 00:02:13 carlo Exp $
+
+*kdewebdev-3.4.0-r1 (20 Apr 2005)
+*kdewebdev-3.3.2-r1 (20 Apr 2005)
+
+  20 Apr 2005; Carsten Lohrke <carlo@gentoo.org>
+  +files/post-3.4-kdewebdev.diff, +kdewebdev-3.3.2-r1.ebuild,
+  +kdewebdev-3.4.0-r1.ebuild:
+  Kommander untrusted code execution, #89092
 
   18 Mar 2005; Daniel Goller <morfic@gentoo.org> kdewebdev-3.4.0.ebuild:
   Added to ~ppc
diff --git a/kde-base/kdewebdev/files/digest-kdewebdev-3.3.2-r1 b/kde-base/kdewebdev/files/digest-kdewebdev-3.3.2-r1
new file mode 100644
index 000000000000..6e016ea743e8
--- /dev/null
+++ b/kde-base/kdewebdev/files/digest-kdewebdev-3.3.2-r1
@@ -0,0 +1 @@
+MD5 582d0f3073d5829b4ab21b03411ba697 kdewebdev-3.3.2.tar.bz2 4797649
diff --git a/kde-base/kdewebdev/files/digest-kdewebdev-3.4.0-r1 b/kde-base/kdewebdev/files/digest-kdewebdev-3.4.0-r1
new file mode 100644
index 000000000000..0af1ae241535
--- /dev/null
+++ b/kde-base/kdewebdev/files/digest-kdewebdev-3.4.0-r1
@@ -0,0 +1 @@
+MD5 a131b9a14c5da402417b43ed8bc61df1 kdewebdev-3.4.0.tar.bz2 6243584
diff --git a/kde-base/kdewebdev/files/post-3.4-kdewebdev.diff b/kde-base/kdewebdev/files/post-3.4-kdewebdev.diff
new file mode 100644
index 000000000000..937c99d97257
--- /dev/null
+++ b/kde-base/kdewebdev/files/post-3.4-kdewebdev.diff
@@ -0,0 +1,63 @@
+Index: instance.cpp
+===================================================================
+RCS file: /home/kde/kdewebdev/kommander/executor/instance.cpp,v
+retrieving revision 1.49
+diff -u -3 -d -p -r1.49 instance.cpp
+--- kommander/executor/instance.cpp	29 Dec 2004 09:58:46 -0000	1.49
++++ kommander/executor/instance.cpp	13 Apr 2005 19:18:57 -0000
+@@ -131,6 +131,35 @@ bool Instance::build(QFile *a_file)
+ 
+ bool Instance::run(QFile *a_file)
+ {
++  // Check whether extension is *.kmdr
++  if (!m_uiFileName.fileName().endsWith(".kmdr")) {
++    KMessageBox::error(0, i18n("<qt>This file does not have a <b>.kmdr</b> extension. As a security precaution "
++           "Kommander will only run Kommander scripts with a clear identity.</qt>"),
++           i18n("Wrong Extension"));
++    return false;
++  }
++  
++  // Check whether file is not in some temporary directory.
++  QStringList tmpDirs = KGlobal::dirs()->resourceDirs("tmp");
++  tmpDirs += KGlobal::dirs()->resourceDirs("cache");
++  tmpDirs.append("/tmp/");
++  tmpDirs.append("/var/tmp/");
++  
++  bool inTemp = false;
++  for (QStringList::ConstIterator I = tmpDirs.begin(); I != tmpDirs.end(); ++I)
++    if (m_uiFileName.directory().startsWith(*I))
++      inTemp = true;
++        
++  if (inTemp)
++  {
++     if (KMessageBox::warningYesNo(0, i18n("<qt>This dialog is running from your <i>/tmp</i> directory. "
++         " This may mean that it was run from a KMail attachment or from a webpage. "
++         "<p>Any script contained in this dialog will have write access to all of your home directory; "
++         "<b>running such dialogs may be dangerous: </b>"
++         "<p>are you sure you want to continue?</qt>")) == KMessageBox::No)
++       return false;
++  }
++  
+   /* add runtime arguments */
+   if (m_cmdArguments) {
+     QString args;
+@@ -143,18 +172,7 @@ bool Instance::run(QFile *a_file)
+     KommanderWidget::setGlobal("ARGS", args);
+   }
+   KommanderWidget::setGlobal("ARGCOUNT", QString("%1").arg(m_cmdArguments));
+-    
+-  if (m_uiFileName.directory().startsWith(locateLocal("tmp", "") + "/") ||
+-      m_uiFileName.directory().startsWith("/tmp/"))
+-  {
+-     if (KMessageBox::warningYesNo(0, i18n("<qt>This dialog is running from your <i>/tmp</i> directory. "
+-         " This may mean that it was run from a KMail attachment or from a webpage. "
+-         "<p>Any script contained in this dialog will have write access to all of your home directory; "
+-         "<b>running such dialogs may be dangerous: </b>"
+-         "<p>are you sure you want to continue?</qt>")) == KMessageBox::No)
+-       return false;
+-  }
+-  
++     
+   if (!m_uiFileName.isEmpty()) 
+   {
+     KommanderWidget::setGlobal("_KDDIR", m_uiFileName.directory());
diff --git a/kde-base/kdewebdev/kdewebdev-3.3.2-r1.ebuild b/kde-base/kdewebdev/kdewebdev-3.3.2-r1.ebuild
new file mode 100644
index 000000000000..2da7d9eda56d
--- /dev/null
+++ b/kde-base/kdewebdev/kdewebdev-3.3.2-r1.ebuild
@@ -0,0 +1,18 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kdewebdev/kdewebdev-3.3.2-r1.ebuild,v 1.1 2005/04/20 00:02:13 carlo Exp $
+
+inherit kde-dist eutils
+
+DESCRIPTION="KDE web development - Quanta"
+
+KEYWORDS="~alpha ~amd64 ~hppa ~ia64 ~ppc ~ppc64 ~sparc x86 ~mips"
+IUSE="doc"
+
+DEPEND="~kde-base/kdebase-${PV}
+	doc? ( app-doc/quanta-docs )"
+
+src_unpack(){
+	kde_src_unpack
+	epatch ${FILESDIR}/post-3.4-kdewebdev.diff
+}
+\ No newline at end of file
diff --git a/kde-base/kdewebdev/kdewebdev-3.4.0-r1.ebuild b/kde-base/kdewebdev/kdewebdev-3.4.0-r1.ebuild
new file mode 100644
index 000000000000..9e60a856f5aa
--- /dev/null
+++ b/kde-base/kdewebdev/kdewebdev-3.4.0-r1.ebuild
@@ -0,0 +1,21 @@
+# Copyright 1999-2005 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/kde-base/kdewebdev/kdewebdev-3.4.0-r1.ebuild,v 1.1 2005/04/20 00:02:13 carlo Exp $
+
+inherit kde-dist eutils
+
+DESCRIPTION="KDE web development - Quanta"
+
+KEYWORDS="~x86 ~amd64 ~sparc ~ppc"
+IUSE="doc tidy"
+
+DEPEND="~kde-base/kdebase-${PV}
+	doc? ( app-doc/quanta-docs )"
+
+RDEPEND="${DEPEND}
+	tidy? ( app-text/htmltidy )"
+
+src_unpack(){
+	kde_src_unpack
+	epatch ${FILESDIR}/post-3.4-kdewebdev.diff
+}
+\ No newline at end of file
author	Carsten Lohrke <carlo@gentoo.org>	2005-04-20 00:02:13 +0000
committer	Carsten Lohrke <carlo@gentoo.org>	2005-04-20 00:02:13 +0000
commit	5a60e921953bb9117148e9b8cba3533521263900 (patch)
tree	d33e12b0ec3f731b2ac4fb7503409da86ea64c4b /kde-base/kdewebdev
parent	Untrusted code execution, #89092 (diff)
download	historical-5a60e921953bb9117148e9b8cba3533521263900.tar.gz historical-5a60e921953bb9117148e9b8cba3533521263900.tar.bz2 historical-5a60e921953bb9117148e9b8cba3533521263900.zip