- Validate the plugin name of the package at install time to prevent the

injection of bad characters into the path when the package is removed.


svn path=/trunk/KDE/kdebase/workspace/libs/plasma/; revision=846853

package.cpp

@@ -22,6 +22,7 @@
 
 #include <QDir>
 #include <QFile>
+#include <QRegExp>
 
 #include <KArchiveDirectory>
 #include <KArchiveEntry>
@@ -272,6 +273,14 @@ bool Package::installPackage(const QString& package,
         return false;
     }
 
+    // Ensure that package names are safe so package uninstall can't inject
+    // bad characters into the paths used for removal.
+    QRegExp validatePluginName("^[\\w-\\.]+$"); // Only allow letters, numbers, underscore and period.
+    if ( !validatePluginName.exactMatch(targetName) ) {
+        kWarning() << "Package plugin name " << targetName << "contains invalid characters";
+	return false;
+    }
+
     targetName = packageRoot + '/' + targetName;
     if (QFile::exists(targetName)) {
         kWarning() << targetName << "already exists";