Patch: don't expand env vars in remote URLs

David Faure david at mandrakesoft.com
Mon Nov 18 19:04:10 GMT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dirk pointed out to me that expanding env vars in remote URLs such as http://www.kde.org/cgi.pl?user=$USER
could be a security issue.
Given that env vars are expanded only when typing (or pasting) the URL
into minicli, konq's location bar, or bookmarks, the security risk isn't very
high (this doesn't happen when e.g. clicking on a link, or being redirected).
But anyway, the fact that env vars are expanded in such a context
could simply lead to bugs (queries are allowed to have '$' signs in them, and
this doesn't mean an env var ; same thing with local files: I could very well have
a real file named /tmp/my$user, since $ is allowed in filenames).

Therefore the attached patch, which not only disables env-var-expansion
in remote URLs, but also anywhere else than at the start of the string,
and also disabling the "support" for nested env vars - quite a broken feature
in itself, since 
1) it could infinitely recurse in theory (export foo=$foo)
2) shells don't do that. They don't automatically expand nested env vars.

If you object, please specify to which "feature removal" you object exactly :)

Note that the kurifiltertest still passes, so no essential feature has been
removed :)

- -- 
David FAURE, david at mandrakesoft.com, faure at kde.org
http://people.mandrakesoft.com/~david/
Contributing to: http://www.konqueror.org/, http://www.koffice.org/
Get the latest KOffice - http://download.kde.org/stable/koffice-1.2/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD4DBQE92Tmq72KcVAmwbhARAlZdAJj/wGmu3GRrYvrMoqiAyVA1CVlfAJ9hVIJd
Aa/eCGbDTSIyn3+Q7V/NZQ==
=P4E7
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: shorturi.diff
Type: text/x-diff
Size: 2263 bytes
Desc: not available
URL: <https://mail.kde.org/mailman/private/kfm-devel/attachments/20021118/c17a5f50/attachment.diff>


More information about the kfm-devel mailing list