Patch: don't expand env vars in remote URLs
Dawit A.
adawit at kde.org
Tue Nov 19 03:34:57 GMT 2002
On Monday 18 November 2002 14:04, you wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dirk pointed out to me that expanding env vars in remote URLs such as
> http://www.kde.org/cgi.pl?user=$USER could be a security issue.
I know. Bug# 49765 is about this very issue :)
> Given that env vars are expanded only when typing (or pasting) the URL
> into minicli, konq's location bar, or bookmarks, the security risk isn't
> very high (this doesn't happen when e.g. clicking on a link, or being
> redirected). But anyway, the fact that env vars are expanded in such a
> context could simply lead to bugs (queries are allowed to have '$' signs in
> them, and this doesn't mean an env var ; same thing with local files: I
> could very well have a real file named /tmp/my$user, since $ is allowed in
> filenames).
Yes, I agree. It was an over-reach on my part and I have no problem with it
being removed.
> Therefore the attached patch, which not only disables env-var-expansion
> in remote URLs, but also anywhere else than at the start of the string,
> and also disabling the "support" for nested env vars - quite a broken
> feature in itself, since
> 1) it could infinitely recurse in theory (export foo=$foo)
> 2) shells don't do that. They don't automatically expand nested env vars.
>
> If you object, please specify to which "feature removal" you object
> exactly:)
No objection. One more request however. Remove "about:konqueror" as well.
It does not belong there and konqueror handles it itself anyways AFAICT. I
would have done it myself, but I have already started re-doing somethings on
this filter on my local copy and am too lazy to check out the current version
:)
Regards,
Dawit A.
More information about the kfm-devel
mailing list