Path check in kdelibs/plasma/package.cpp ?

[Aaron J. Seigo]

On Sunday 04 January 2009, Frank Wilson wrote:
> I've been trying out kde 4.2 beta 2 and I have an issue with the way
> different wallpapers are loaded.

this really belongs on plasma-devel at kde.org, but we're here now =)

> I have two questions about this. Firstly, is there some cmake option
> that would allow this check to pass?

no.

> Secondly, what is the purpose of this check?

so that you can't get the user to install a package but then access files all 
over the system via the package. imagine a package that comes in over the 
internet and has a symlink to say some sensitive system or user file (say .. 
your address book), and then requests that file to be sent back over the 
internet somewhere. holy security hole!

in this case, i suppose what we ought to do is make sure that d->basePath is 
canonicalized as well.

does the attached patch, which applies to kdelibs/plasma/, fix it for you?

-- 
Aaron J. Seigo
humru othro a kohnu se
GPG Fingerprint: 8B8B 2209 0C6F 7C47 B1EA  EE75 D6B7 2EB1 A7F1 DB43

KDE core developer sponsored by Qt Software

-------------- next part --------------
A non-text attachment was scrubbed...
Name: canonical_basepath.diff
Type: text/x-patch
Size: 656 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20090105/d8e08cbf/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20090105/d8e08cbf/attachment.sig>