Security patch for kdeprintfax

[Olaf Jan Schmidt]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

> If you quote properly, t.i. by using KProcess::quote() or a similar
> function, then quoting properly again will not "unquote". The result
> might not be what you want though (it will have too many quotes). 
>
> If you quote improperly, t.i. by only placing the string between "" or
> '',  then the result is unsafe anyway, no matter how many times you
>  quote.

Yes, but if you have the command
echo "hello I am %name"
and replace %name with KProcess:quote("my name"), then you have a security 
hole. This is true for all places where the user can specify a command 
containing some %variables.

As I said, I do not see any realistic exploit for that in kdeprintfax, but 
it would have been a real problem if we hadn't found that bug in the 
text-to-speech code Pupeno and Gunnar are currently developing for KDE.
I just copied the code I originally wrote for our text-to-speech command 
module.

My solution is to replace
echo "hello I am %name"
with
echo "hello I am "%name""
before replacing %name.

Gunnar is working on a general function that takes a list of %variables 
with corresponding values as parameter and that ensures that all quoting 
is handled correctly during the replacment. Maybe that could be moved to 
kdelibs later (for KDE 3.2).

> Sure, just send the patch.

I sent it to security at kde.org.
Should I sent it to the list or to you as well?

Olaf.

- -- 
Olaf Jan Schmidt, KDE Accessibility Project

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAj3yDtcACgkQoLYC8AehV8fXLQCglzY6F0BcaEMDfER2AgH5XBdt
bK0AmwfFhzy5b+f9cF08IbrcskJJk+bQ
=l9cZ
-----END PGP SIGNATURE-----