|CVE 2019 14744.patch | (download)
10 2 + 8 - 0 !
11 4 + 7 - 0 !
37 1 + 36 - 0 !
3 files changed, 7 insertions(+), 51 deletions(-)
security: remove support for $(...) in config keys with [$e] marker.
It is very unclear at this point what a valid use case for this feature
would possibly be. The old documentation only mentions $(hostname) as
an example, which can be done with $HOSTNAME instead.
Note that $(...) is still supported in Exec lines of desktop files,
this does not require [$e] anyway (and actually works better without it,
otherwise the $ signs need to be doubled to obey kconfig $e escaping rules...).
ctest passes; various testcases with $(...) in desktop files,
directory files, and config files, no longer execute commands.
Reviewers: mdawson, aacid, broulik, davidedmundson, kossebau, apol, sitter, security-team
Reviewed By: mdawson, davidedmundson
Subscribers: ZaWertun, rikmills, fvogt, ngraham, kde-frameworks-devel