Package: kde-workspace / 4:4.11.13-2

upstream_do_not_pass_ntpUtility_as_an_argument.patch Patch series | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
commit eebcb17746d9fa86ea8c5a7344709ef6750781cf
Author: David Edmundson <kde@davidedmundson.co.uk>
Date:   Tue Nov 4 13:57:59 2014 +0100

    Do not pass ntpUtility as an argument to datetime helper
    
    Passing the name of a binary to run to a polkit helper is a security
    risk as it allows any arbitrary process to be executed.
    
    This patch moves the detection of ntp utility location into the helper
    function.
    
    REVIEW: 120977

Index: kde-workspace/kcontrol/dateandtime/dtime.cpp
===================================================================
--- kde-workspace.orig/kcontrol/dateandtime/dtime.cpp	2014-11-07 09:09:31.005905464 +0100
+++ kde-workspace/kcontrol/dateandtime/dtime.cpp	2014-11-07 09:09:30.997905785 +0100
@@ -142,27 +142,15 @@
   //kclock->setEnabled(enabled);
 }
 
-void Dtime::findNTPutility(){
-  QByteArray envpath = qgetenv("PATH");
-  if (!envpath.isEmpty() && envpath[0] == ':') {
-    envpath = envpath.mid(1);
-  }
-
-  QString path = "/sbin:/usr/sbin:";
-  if (!envpath.isEmpty()) {
-    path += QString::fromLocal8Bit(envpath);
-  } else {
-    path += QLatin1String("/bin:/usr/bin");
-  }
-
-  foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
-    if( !((ntpUtility = KStandardDirs::findExe(possible_ntputility, path)).isEmpty()) ) {
-      kDebug() << "ntpUtility = " << ntpUtility;
-      return;
+void Dtime::findNTPutility()
+{
+    const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
+    foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
+        ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
+        if (!ntpUtility.isEmpty()) {
+            return;
+        }
     }
-  }
-
-  kDebug() << "ntpUtility not found!";
 }
 
 void Dtime::set_time()
@@ -238,7 +226,6 @@
   helperargs["ntp"] = true;
   helperargs["ntpServers"] = list;
   helperargs["ntpEnabled"] = setDateTimeAuto->isChecked();
-  helperargs["ntpUtility"] = ntpUtility;
 
   if(setDateTimeAuto->isChecked() && !ntpUtility.isEmpty()){
     // NTP Time setting - done in helper
Index: kde-workspace/kcontrol/dateandtime/helper.cpp
===================================================================
--- kde-workspace.orig/kcontrol/dateandtime/helper.cpp	2014-11-07 09:09:31.005905464 +0100
+++ kde-workspace/kcontrol/dateandtime/helper.cpp	2014-11-07 09:09:30.997905785 +0100
@@ -52,8 +52,18 @@
 // clears it. So we have to use a reasonable default.
 static const QString exePath = QLatin1String("/usr/sbin:/usr/bin:/sbin:/bin");
 
-int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled,
-                      const QString& ntpUtility )
+static QString findNtpUtility()
+{
+    foreach(const QString &possible_ntputility, QStringList() << "ntpdate" << "rdate" ) {
+        const QString ntpUtility = KStandardDirs::findExe(possible_ntputility, exePath);
+        if (!ntpUtility.isEmpty()) {
+            return ntpUtility;
+        }
+    }
+    return QString();
+}
+
+int ClockHelper::ntp( const QStringList& ntpServers, bool ntpEnabled )
 {
   int ret = 0;
 
@@ -69,6 +79,8 @@
   config.writeEntry("servers", ntpServers );
   config.writeEntry("enabled", ntpEnabled );
 
+  QString ntpUtility(findNtpUtility());
+
   if ( ntpEnabled && !ntpUtility.isEmpty() ) {
     // NTP Time setting
     QString timeServer = ntpServers.first();
@@ -236,7 +248,7 @@
   int ret = 0; // error code
 //  The order here is important
   if( _ntp )
-    ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool(), args.value("ntpUtility").toString() );
+    ret |= ntp( args.value("ntpServers").toStringList(), args.value("ntpEnabled").toBool());
   if( _date )
     ret |= date( args.value("newdate").toString(), args.value("olddate").toString() );
   if( _tz )
Index: kde-workspace/kcontrol/dateandtime/helper.h
===================================================================
--- kde-workspace.orig/kcontrol/dateandtime/helper.h	2014-11-07 09:09:31.005905464 +0100
+++ kde-workspace/kcontrol/dateandtime/helper.h	2014-11-07 09:09:31.001905624 +0100
@@ -42,8 +42,7 @@
         ActionReply save(const QVariantMap &map);
 
     private:
-        int ntp(const QStringList& ntpServers, bool ntpEnabled,
-                const QString& ntpUtility);
+        int ntp(const QStringList& ntpServers, bool ntpEnabled);
         int date(const QString& newdate, const QString& olddate);
         int tz(const QString& selectedzone);
         int tzreset();