D22979: Security: remove support for $(...) in config keys with [$e] marker.
Matthew Dawson
noreply at phabricator.kde.org
Wed Aug 7 03:14:21 BST 2019
mdawson added a comment.
LGTM. Regarding the test, if we want to get this change in asap due to the security focus I can submit a follow up patch re-adding it.
INLINE COMMENTS
> kconfigtest.cpp:530
> << "URL[$e]=file://${HOME}/foo" << endl
> - << "hostname[$e]=$(hostname)" << endl
> << "escapes=aaa,bb/b,ccc\\,ccc" << endl
Instead of removing this test, can it instead be switched to verify the command execution does not occur?
> options.md:78
>
> -Note that the application will replace `$USER` and `$(hostname)` with their
> +Note that the application will replace `$USER` with their
> respective expanded values after saving. To prevent this combine the `$e` option
Grammar suggestion: Note that the application will replace `$USER` with its expanded values after saving.
REPOSITORY
R237 KConfig
BRANCH
security_kill_popen
REVISION DETAIL
https://phabricator.kde.org/D22979
To: dfaure, mdawson, aacid, broulik, davidedmundson, kossebau, apol, sitter, security-team
Cc: ngraham, kde-frameworks-devel, LeGast00n, michaelh, bruns
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20190807/bab09852/attachment.html>
More information about the Kde-frameworks-devel
mailing list