Commit 9db872df authored by Marco Martin's avatar Marco Martin
Browse files

Make sure device paths are quoted

in the case a vfat removable device has $() or `` in its label,
such as $(touch foo) the quoted command may get executed,
leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote
to make sure everything is quoted and not interpreted as a command

BUG:389815
parent fc9b8df0
...@@ -158,7 +158,7 @@ void DelayedExecutor::delayedExecute(const QString &udi) ...@@ -158,7 +158,7 @@ void DelayedExecutor::delayedExecute(const QString &udi)
QString exec = m_service.exec(); QString exec = m_service.exec();
MacroExpander mx(device); MacroExpander mx(device);
mx.expandMacros(exec); mx.expandMacrosShellQuote(exec);
KRun::runCommand(exec, QString(), m_service.icon(), 0); KRun::runCommand(exec, QString(), m_service.icon(), 0);
deleteLater(); deleteLater();
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment