Hello, When opening volume which label contains `` or $() from notifictions panel the code gets executed. For example, opening a volume named `touch blabla` creates a file named blabla in user home folder. This happens only when opening volume from notification bar (see attachment), not when opening it from Dolphin directly. Regards, Krzysztof
>see attachment What attachment?
Also, please confirm which solid backend you are using. solid-hardware5 list should tell you
Created attachment 110327 [details] The notification panel where I open the volume
Created attachment 110328 [details] The error when volume is named `id` Title: Error - KIO Client Text: Cannot execute command. File or directory /media/hex/uid=1000 (..) does not exist.
Sorry I forgot about attachment yesterday. solid-hardware5 list details returns: udi = '/org/freedesktop/UDisks2/block_devices/sdb1' parent = '/org/freedesktop/UDisks2/drives/Generic_STORAGE_DEVICE_Generic_STORAGE_DEVICE_0_3a0' (string) vendor = 'Generic' (string) product = 'STORAGE DEVICE' (string) description = '`touch foo`' (string) Block.major = 0 (0x0) (int) Block.minor = 2065 (0x811) (int) Block.device = '/dev/sdb1' (string) StorageAccess.accessible = true (bool) StorageAccess.filePath = '/media/hex/`touch foo`' (string) StorageAccess.ignored = false (bool) StorageVolume.ignored = false (bool) StorageVolume.usage = 'FileSystem' (0x2) (enum) StorageVolume.fsType = 'ntfs' (string) StorageVolume.label = '`touch foo`' (string) StorageVolume.uuid = '04dcc0b2dcc09ef4' (string) StorageVolume.size = 64155025408 (0xeeff00000) (qulonglong) Regards, Krzysztof
Git commit f32002ce50edc3891f1fa41173132c820b917d57 by Marco Martin. Committed on 05/02/2018 at 12:35. Pushed by mart into branch 'Plasma/5.12'. Make sure device paths are quoted in the case a vfat removable device has $() or `` in its label, such as $(touch foo) the quoted command may get executed, leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote to make sure everything is quoted and not interpreted as a command M +1 -1 soliduiserver/deviceserviceaction.cpp https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57
Git commit 9db872df82c258315c6ebad800af59e81ffb9212 by Marco Martin. Committed on 05/02/2018 at 12:12. Pushed by mart into branch 'Plasma/5.8'. Make sure device paths are quoted in the case a vfat removable device has $() or `` in its label, such as $(touch foo) the quoted command may get executed, leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote to make sure everything is quoted and not interpreted as a command M +1 -1 soliduiserver/deviceserviceaction.cpp https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212