Version: 3.5.1 (using KDE 3.5.1, Gentoo) Compiler: gcc version 3.3.5-20050130 (Gentoo 3.3.5.20050130-r1, ssp-3.3.5.20050130-1, pie-8.7.7.1) OS: Linux (i686) release 2.6.14-gentoo-r5 An application resource with a typical command line like 'command "%u"' or whatever and having the "place in system tray" option checked will not launch the application correctly, if at all, if the url has special characters. I assume this is because KDE calls ksystraycmd but forgets to escape characters like (, ), etc, causing the shell call to fail. I'm guessing this is what happened, anyway, when I encountered this problem when setting up a resource for mplayer, then trying to load a file in a directory that had ()'s in it.
Seems to be a ksystraycmd bug. ~% cat test.sh #!/bin/sh for i; do echo "$i"; done ~% ./test.sh "The quick brown fox jumps over the lazy dog" The quick brown fox jumps over the lazy dog ~% ksystraycmd ./test.sh "The quick brown fox jumps over the lazy dog" The quick brown fox jumps over the lazy dog Looks like ksystraycmd, instead of executing the command, passes all the arguments on a command line to your shell, which inherently creates a security vulnerability. Let's say you downloaded a file named "Who let the dogs out&echo Gotcha&.mp3", if your media player is configured to execute through ksystraycmd, you get: ~% ksystraycmd amarok "Who let the dogs out&echo Gotcha&.mp3" Gotcha zsh: command not found: .mp3 ~% Note that "echo Gotcha" got executed. This should be considered a serious security bug. Anyone who checks the "Place in system tray" option is becoming vulnerable to a shell script insertion attack on filenames.
SVN commit 572103 by mueller: fix argument getting de-quoted BUG:124116 M +2 -1 main.cpp --- branches/KDE/3.5/kdebase/ksystraycmd/main.cpp #572102:572103 @@ -5,6 +5,7 @@ #include <kcmdlineargs.h> #include <kdebug.h> #include <klocale.h> +#include <kprocess.h> #include "ksystraycmd.h" @@ -94,7 +95,7 @@ // Read the command QString command; for ( int i = 0; i < args->count(); i++ ) - command += QCString( args->arg(i) ) + " "; + command += KProcess::quote(QString::fromLocal8Bit( args->arg(i) )) + " "; if ( !command.isEmpty() ) cmd.setCommand( command );
SVN commit 572104 by mueller: fix argument quoting CCBUG: 124116 M +2 -1 main.cpp --- trunk/KDE/kdebase/workspace/ksystraycmd/main.cpp #572103:572104 @@ -5,6 +5,7 @@ #include <kcmdlineargs.h> #include <kdebug.h> #include <klocale.h> +#include <kprocess.h> #include "ksystraycmd.h" @@ -96,7 +97,7 @@ // Read the command QString command; for ( int i = 0; i < args->count(); i++ ) - command += QString( args->arg(i) ) + ' '; + command += KProcess::quote(QString::fromLocal8Bit( args->arg(i) )) + ' '; if ( !command.isEmpty() ) cmd.setCommand( command );