QProcess Security and KSaveFile::rcsBackupFile()

Allen Winter winter at kde.org
Thu Feb 2 00:55:05 GMT 2006


So we have an rcsBackupFile() method now in the KSaveFile class that uses RCS
to implement backups.  This is in addition to the simple (1 backup with an extension)
and numbered (N backups) implementations.

I'm not sure how well RCS handles binary files, but that's not the point of this message.

rcsBackupFile() uses QProcess to run the commands 'rcs', 'co', and 'ci'.  Greg didn't provide
a fullpath, and I think this is a security problem.  And what if the first 'rcs' in your $PATH doesn't
happen to be the rcs you really want.   Should we provide a fullpath?  If so, are the RCS commands
always in /usr/bin?  Probably not guaranteed.

I like the idea to QProcess a command like 'PATH=/usr/bin:/usr/local/bin rcs' instead of just 'rcs'.
What is a good $PATH for this idea?

I hate the idea:
#if linux
#define RCS_PATH "/usr/bin"
#elif windows
#define RCS_PATH 'c:/whatever/bin"
and then using QProcess on RCS_PATH + "/rcs"

Other ideas?  We looked for an RCS API library and didn't find any.

Let's Keep the Political Talk Out of KDE PLEASE

More information about the kde-core-devel mailing list