be careful with relative paths and symlinks in packages and themes; we don't want widgets referencing random files/resources, just stuff in the given package

svn path=/trunk/KDE/kdebase/workspace/libs/plasma/; revision=848476
This commit is contained in:
Aaron J. Seigo 2008-08-17 20:52:37 +00:00
parent 3a008feb23
commit 35f8bbcc64
2 changed files with 32 additions and 11 deletions

View File

@ -133,7 +133,13 @@ QString Package::filePath(const char* fileType, const QString& filename) const
}
if (QFile::exists(path)) {
return path;
// ensure that we don't return files outside of our base path
// due to symlink or ../ games
QDir dir(path);
QString canonicalized = dir.canonicalPath();
if (canonicalized.startsWith(d->basePath)) {
return path;
}
}
kDebug() << path << "does not exist";
@ -158,11 +164,16 @@ QStringList Package::entryList(const char* fileType) const
QDir dir(d->basePath + d->structure->contentsPrefix() + path);
if (!dir.exists()) {
return QStringList();
if (dir.exists()) {
// ensure that we don't return files outside of our base path
// due to symlink or ../ games
QString canonicalized = dir.canonicalPath();
if (canonicalized.startsWith(d->basePath)) {
return dir.entryList(QDir::Files | QDir::Readable);
}
}
return dir.entryList(QDir::Files | QDir::Readable);
return QStringList();
}
const PackageMetadata* Package::metadata() const
@ -362,17 +373,17 @@ bool Package::uninstallPackage(const QString& pluginName,
QString service = KStandardDirs::locateLocal("services", serviceName + ".desktop");
kDebug() << "Removing service file " << service;
bool ok = QFile::remove( service );
bool ok = QFile::remove(service);
if ( !ok ) {
kWarning() << "Unable to remove " << service;
return ok;
if (!ok) {
kWarning() << "Unable to remove " << service;
return ok;
}
KIO::DeleteJob *job = KIO::del( KUrl(targetName) );
KIO::DeleteJob *job = KIO::del(KUrl(targetName));
if (!job->exec()) {
kWarning() << "Could not delete package from:" << targetName << " : " << job->errorString();
return false;
kWarning() << "Could not delete package from:" << targetName << " : " << job->errorString();
return false;
}
return true;

View File

@ -283,6 +283,11 @@ QString Theme::themeName() const
QString Theme::imagePath(const QString& name) const
{
// look for a compressed svg file in the theme
if (name.contains("../")) {
// we don't support relative paths
return QString();
}
QString path = d->findInTheme(name + ".svgz", d->themeName);
if (path.isEmpty()) {
@ -360,6 +365,11 @@ QString Theme::wallpaperPath(const QSize &size) const
bool Theme::currentThemeHasImage(const QString& name) const
{
if (name.contains("../")) {
// we don't support relative paths
return false;
}
return !(d->findInTheme(name + ".svgz", d->themeName).isEmpty()) ||
!(d->findInTheme(name + ".svg", d->themeName).isEmpty());
}