Security: remove support for $(...) in config keys with [$e] marker.

It is very unclear at this point what a valid use case for this feature would possibly be. The old documentation only mentions $(hostname) as an example, which can be done with $HOSTNAME instead. Note that $(...) is still supported in Exec lines of desktop files, this does not require [$e] anyway (and actually works better without it, otherwise the $ signs need to be doubled to obey tdeconfig $e escaping rules...). Based on KDE Frameworks 5 kconfig patch for CVE-2019-14744. This resolves issue #45. Signed-off-by: Slávek Banko <slavek.banko@axis.cz> (cherry picked from commit 1074eb0336)
5 years ago · b992188d7d
parent 299fc401b1
commit b992188d7d
2 changed files with 1 additions and 32 deletions
--- a/tdecore/README.kiosk
+++ b/tdecore/README.kiosk
@ -642,18 +642,6 @@ The following syntax is also supported:
 Name[$ei]=${USER}


-Shell Commands in KDE config files.
-===================================
-
-In KDE3.1 arbitrary entries in configuration files can contain shell 
-commands. This way the value of a configuration entry can be determined
-dynamically at runtime. In order to use this the entry must be marked 
-with [$e]. 
-
-Example:
-Host[$e]=$(hostname)
-
-
 KDE3 Kiosk Application API
 ==========================

--- a/tdecore/tdeconfigbase.cpp
+++ b/tdecore/tdeconfigbase.cpp
@ -276,26 +276,7 @@ TQString TDEConfigBase::readEntry( const char *pKey,

      while( nDollarPos != -1 && nDollarPos+1 < static_cast<int>(aValue.length())) {
        // there is at least one $
-        if( (aValue)[nDollarPos+1] == '(' ) {
-          uint nEndPos = nDollarPos+1;
-          // the next character is no $
-          while ( (nEndPos <= aValue.length()) && (aValue[nEndPos]!=')') )
-              nEndPos++;
-          nEndPos++;
-          TQString cmd = aValue.mid( nDollarPos+2, nEndPos-nDollarPos-3 );
-
-          TQString result;
-          FILE *fs = popen(TQFile::encodeName(cmd).data(), "r");
-          if (fs)
-          {
-             {
-             TQTextStream ts(fs, IO_ReadOnly);
-             result = ts.read().stripWhiteSpace();
-             }
-             pclose(fs);
-          }
-          aValue.replace( nDollarPos, nEndPos-nDollarPos, result );
-        } else if( (aValue)[nDollarPos+1] != '$' ) {
+        if( (aValue)[nDollarPos+1] != '$' ) {
          uint nEndPos = nDollarPos+1;
          // the next character is no $
          TQString aVarName;