Security patch for kdeprintfax

Olaf Jan Schmidt olaf at
Sat Dec 7 15:08:02 GMT 2002

Hash: SHA1


> If you quote properly, t.i. by using KProcess::quote() or a similar
> function, then quoting properly again will not "unquote". The result
> might not be what you want though (it will have too many quotes). 
> If you quote improperly, t.i. by only placing the string between "" or
> '',  then the result is unsafe anyway, no matter how many times you
>  quote.

Yes, but if you have the command
echo "hello I am %name"
and replace %name with KProcess:quote("my name"), then you have a security 
hole. This is true for all places where the user can specify a command 
containing some %variables.

As I said, I do not see any realistic exploit for that in kdeprintfax, but 
it would have been a real problem if we hadn't found that bug in the 
text-to-speech code Pupeno and Gunnar are currently developing for KDE.
I just copied the code I originally wrote for our text-to-speech command 

My solution is to replace
echo "hello I am %name"
echo "hello I am "%name""
before replacing %name.

Gunnar is working on a general function that takes a list of %variables 
with corresponding values as parameter and that ensures that all quoting 
is handled correctly during the replacment. Maybe that could be moved to 
kdelibs later (for KDE 3.2).

> Sure, just send the patch.

I sent it to security at
Should I sent it to the list or to you as well?


- -- 
Olaf Jan Schmidt, KDE Accessibility Project

Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see


More information about the kde-core-devel mailing list