Security patch for kdeprintfax

Waldo Bastian bastian at kde.org
Sat Dec 7 14:32:06 GMT 2002


On Saturday 07 December 2002 01:07, Olaf Jan Schmidt wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> I have a bug fix for a small security problem in kdeprintfax.
>
> Variables are always replaced with quoted values, even if they are already
> in quotes. The result is that the variables will be unquoted, leading to
> a small security hole.

If you quote properly, t.i. by using KProcess::quote() or a similar function, 
then quoting properly again will not "unquote". The result might not be what 
you want though (it will have too many quotes). 

If you quote improperly, t.i. by only placing the string between "" or '', 
then the result is unsafe anyway, no matter how many times you quote.

> I don't think there are any real possibilities to exploit this, but it can
> do no harm to fix this by unquoting all variables that are within quotes.
>
> I copied the patch from another application where we had the same problem;
> I am quite new to KDE programming and not totally sure I applied the
> patch correctly. Could someone please check whether everything is OK?

Sure, just send the patch.

Cheers,
Waldo
-- 
bastian at kde.org -=|[ SuSE, The Linux Desktop Experts ]|=- bastian at suse.com





More information about the kde-core-devel mailing list