From 4f961d77d6da693c51c5be16366dc172b45c96e0 Mon Sep 17 00:00:00 2001
From: Michele Calgaro <michele.calgaro@yahoo.it>
Date: Sun, 16 Feb 2020 13:40:48 +0900
Subject: [PATCH] Security: remove support for  in KRun which could have
 allowed execution of malicious code. This is similar to issue TDE/tdelibs#45
 for .desktop files.

Signed-off-by: Michele Calgaro <michele.calgaro@yahoo.it>
---
 lib/widgets/kdevhtmlpart.cpp | 19 +------------------
 1 file changed, 1 insertion(+), 18 deletions(-)

diff --git a/lib/widgets/kdevhtmlpart.cpp b/lib/widgets/kdevhtmlpart.cpp
index 35b2216f..a8520e30 100644
--- a/lib/widgets/kdevhtmlpart.cpp
+++ b/lib/widgets/kdevhtmlpart.cpp
@@ -259,24 +259,7 @@ TQString KDevHTMLPart::resolveEnvVarsInURL(const TQString& url)
   // Note: the while loop below is a copy of code in tdecore/tdeconfigbase.cpp ;)
   while( nDollarPos != -1 && nDollarPos+1 < static_cast<int>(path.length())) {
     // there is at least one $
-    if( (path)[nDollarPos+1] == '(' ) {
-      uint nEndPos = nDollarPos+1;
-      // the next character is no $
-      while ( (nEndPos <= path.length()) && (path[nEndPos]!=')') )
-          nEndPos++;
-      nEndPos++;
-      TQString cmd = path.mid( nDollarPos+2, nEndPos-nDollarPos-3 );
-
-      TQString result;
-      FILE *fs = popen(TQFile::encodeName(cmd).data(), "r");
-      if (fs)
-      {
-         TQTextStream ts(fs, IO_ReadOnly);
-         result = ts.read().stripWhiteSpace();
-         pclose(fs);
-      }
-      path.replace( nDollarPos, nEndPos-nDollarPos, result );
-    } else if( (path)[nDollarPos+1] != '$' ) {
+    if( (path)[nDollarPos+1] != '$' ) {
       uint nEndPos = nDollarPos+1;
       // the next character is no $
       TQString aVarName;