Path check in kdelibs/plasma/package.cpp ?
Frank Wilson
frank at thefixedpoint.me.uk
Mon Jan 5 20:21:37 GMT 2009
> this really belongs on plasma-devel at kde.org, but we're here now =)
Sorry, I'll be more careful to find the appropriate mailing list next
time. :s
> so that you can't get the user to install a package but then access files all
> over the system via the package. imagine a package that comes in over the
> internet and has a symlink to say some sensitive system or user file (say ..
> your address book), and then requests that file to be sent back over the
> internet somewhere. holy security hole!
I think I understand your point about security.
> in this case, i suppose what we ought to do is make sure that d->basePath is
> canonicalized as well.
>
> does the attached patch, which applies to kdelibs/plasma/, fix it for you?
Thanks for the patch! It seems to resolve the issue for me, I hope you
can integrate it into the final 4.2 release! :) .
Thanks,
Frank Wilson
More information about the kde-core-devel
mailing list