QProcess Security and KSaveFile::rcsBackupFile()
Gregory Hayes
syncomm at gmail.com
Tue Feb 7 19:54:14 GMT 2006
I attached a patch that should implement the desired behavior. Please glance
it over, before I commit.
RCS is available on Windows as well, to maintain cross platform
compatibility will I need to search for "rcs.exe" in addition to "rcs", or
will KStandardDirs::findExe("rcs") find both cases?
Thanks!
Greg
-
On 2/7/06, Martijn Klingens <klingens at kde.org> wrote:
> On Friday 03 February 2006 02:05, Allen Winter wrote:
> > On Thursday 02 February 2006 04:02, Gregory Hayes wrote:
> > > That is a good point, I didn't think of the path issue! I believe the
LSB
> > > specifies /usr/bin as the RCS default, but other platforms may pop it
in
> > > a different part of the tree. Is there a way to just remove "." from
the
> > > QProcess $PATH? If not I would suggest "/bin:/usr/bin:/usr/local/bin"
> > > (but someone could be creative and stick it in /opt/rcs-5.7/bin or
> > > something). RCS is likely "rcs.exe" on Windows too, so we may need to
> > > massage that as well (if it matters to QProcess).
> >
> > I just committed a change that uses the $PATH you suggest.
>
> That runs shell commands though. As long as qFilename is properly quoted
it
> doesn't allow arbitrary command execution per se, but it still seems like
a
> needless security risk to me.
>
> Why don't you pass the result of KStandardDirs::findExe instead of relying
> on /usr/bin/env?
>
> See
>
>
http://developer.kde.org/documentation/library/cvs-api/kdelibs-apidocs/kdecore/html/classKStandardDirs.html#e1
>
> That also makes it somewhat more portable towards non-Unix platforms where
the
> 'VAR=value cmd --args' style of invocation is often unavailable. (Not to
> mention that /usr/bin/env is often unavailable, but so is rcs probably as
> well, making this possibly a moot point.)
>
> --
> Martijn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20060207/39c5d1ab/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ksavefile-findexe.patch
Type: text/x-patch
Size: 1649 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20060207/39c5d1ab/attachment.bin>
More information about the kde-core-devel
mailing list