Commit e608fbd8 authored by David Edmundson's avatar David Edmundson
Browse files

Do not pass ntpUtility as an argument to datetime helper

Passing the name of a binary to run to a polkit helper is a security
risk as it allows any arbitrary process to be executed.

This patch moves the detection of ntp utility location into the helper
function.
parent 58bb376f
......@@ -246,9 +246,8 @@ void Dtime::save( QVariantMap& helperargs )
helperargs["ntp"] = true;
helperargs["ntpServers"] = list;
helperargs["ntpEnabled"] = setDateTimeAuto->isChecked();
helperargs["ntpUtility"] = ntpUtility;
if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){
if(setDateTimeAuto->isChecked()) {
// NTP Time setting - done in helper
timeServer = timeServerList->currentText();
kDebug() << "Setting date from time server " << timeServer;
......
......@@ -52,8 +52,7 @@
// clears it. So we have to use a reasonable default.
static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled,
const QString& ntpUtility )
int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled )
{
int ret = 0;
......@@ -69,6 +68,11 @@ int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled,
config.writeEntry("servers", ntpServers );
config.writeEntry("enabled", ntpEnabled );
QString ntpUtility = QStandardPaths::findExecutable("ntpdate");
if (!ntpUtility) {
ntpUtility = QStandardPaths::findExecutable("rdate");
}
if ( ntpEnabled && !ntpUtility.isEmpty() ) {
// NTP Time setting
QString timeServer = ntpServers.first();
......@@ -234,7 +238,7 @@ ActionReply ClockHelper::save(const QVariantMap &args)
int ret = 0; // error code
// The order here is important
if( _ntp )
ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() );
ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool());
if( _date )
ret |= date( args.value("newdate").toString(), args.value("olddate").toString() );
if( _tz )
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment