Review Request: Fix sanitization of dbus path in KMainWindow

Thiago Macieira thiago at kde.org
Tue Aug 18 07:35:19 BST 2009


Matthew Woehlke wrote:
>Index: widgets/kmainwindow.cpp
>===================================================================
>--- widgets/kmainwindow.cpp     (revision 1012587)
>+++ widgets/kmainwindow.cpp     (working copy)
>@@ -306,6 +306,12 @@
>      return false;
>  }
>
>+static bool isIdentifier(char c)
>+{  // the order btw is [a-zA-Z_0-9]
>+    return (c > 96 && c < 123) || (c > 64 && c < 91) ||
>+               c == '_' || (c > 47 && c < 58);
>+}
>+

Why did you write this so cryptically?

>-    QString pathname = q->objectName();
>+    QString pathname = QString( q->objectName().toAscii() );
>      // Clean up for dbus usage: any non-alphanumeric char should be
>turned into '_'
>      const int len = pathname.length();
>      for ( int i = 0; i < len; ++i ) {
>-        if ( !( pathname[i].isLetter() || pathname[i].isDigit() ) )
>+        if ( !isIdentifier( pathname[i].toAscii() ) )
>              pathname[i] = QLatin1Char('_');
>      }
>      pathname = '/' + qApp->applicationName() + '/' + pathname;

From qdbusutil.cpp:
static inline bool isValidCharacterNoDash(const QChar &c)
{
    register ushort u = c.unicode();
    return (u >= 'a' && u <= 'z')
            || (u >= 'A' && u <= 'Z')
            || (u >= '0' && u <= '9')
            || (u == '_');
}

Then use this function with your loop above. There's no need for toAscii 
anywhere:
>-    QString pathname = q->objectName();
>+     QString pathname = '/' + qApp->applicationName() + '/' 
>+     + q->objectName();
>      // Clean up for dbus usage: any non-alphanumeric char should be
>turned into '_'
>      const int len = pathname.length();
>      for ( int i = 0; i < len; ++i ) {
>-        if ( !( pathname[i].isLetter() || pathname[i].isDigit() ) )
>+        if ( pathname != QLatin1Char('/') && !isValidCharacterNoDash( 
pathname[i] ) )
>              pathname[i] = QLatin1Char('_');
>      }
>-     pathname = '/' + qApp->applicationName() + '/' + pathname;

I've also moved the application name above the cleanup, since it needs to 
be cleaned up too. That required checking for /.

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
  Senior Product Manager - Nokia, Qt Development Frameworks
      PGP/GPG: 0x6EF45358; fingerprint:
      E067 918B B660 DBD1 105C  966C 33F5 F005 6EF4 5358

Qt Developer Days 2009 | Registration Now Open!
Munich, Germany: Oct 12 - 14     San Francisco, California: Nov 2 - 4
      http://qt.nokia.com/qtdevdays2009
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://mail.kde.org/pipermail/kde-core-devel/attachments/20090818/ba18f494/attachment.sig>


More information about the kde-core-devel mailing list