From a8107c332f110bf4c94566c93305c371b4c73b72 Mon Sep 17 00:00:00 2001 From: Michele Calgaro Date: Sun, 16 Feb 2020 13:40:48 +0900 Subject: Security: remove support for in KRun which could have allowed execution of malicious code. This is similar to issue TDE/tdelibs#45 for .desktop files. Signed-off-by: Michele Calgaro (cherry picked from commit 4f961d77d6da693c51c5be16366dc172b45c96e0) --- lib/widgets/kdevhtmlpart.cpp | 19 +------------------ 1 file changed, 1 insertion(+), 18 deletions(-) (limited to 'lib/widgets') diff --git a/lib/widgets/kdevhtmlpart.cpp b/lib/widgets/kdevhtmlpart.cpp index 35b2216f..a8520e30 100644 --- a/lib/widgets/kdevhtmlpart.cpp +++ b/lib/widgets/kdevhtmlpart.cpp @@ -259,24 +259,7 @@ TQString KDevHTMLPart::resolveEnvVarsInURL(const TQString& url) // Note: the while loop below is a copy of code in tdecore/tdeconfigbase.cpp ;) while( nDollarPos != -1 && nDollarPos+1 < static_cast(path.length())) { // there is at least one $ - if( (path)[nDollarPos+1] == '(' ) { - uint nEndPos = nDollarPos+1; - // the next character is no $ - while ( (nEndPos <= path.length()) && (path[nEndPos]!=')') ) - nEndPos++; - nEndPos++; - TQString cmd = path.mid( nDollarPos+2, nEndPos-nDollarPos-3 ); - - TQString result; - FILE *fs = popen(TQFile::encodeName(cmd).data(), "r"); - if (fs) - { - TQTextStream ts(fs, IO_ReadOnly); - result = ts.read().stripWhiteSpace(); - pclose(fs); - } - path.replace( nDollarPos, nEndPos-nDollarPos, result ); - } else if( (path)[nDollarPos+1] != '$' ) { + if( (path)[nDollarPos+1] != '$' ) { uint nEndPos = nDollarPos+1; // the next character is no $ TQString aVarName; -- cgit v1.2.1