https://bugs.kde.org/show_bug.cgi?id=389815
Marco Martin <notm...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Latest Commit| |https://commits.kde.org/pla
| |sma-workspace/f32002ce50edc
| |3891f1fa41173132c820b917d57
Resolution|--- |FIXED
Latest Commit|https://commits.kde.org/pla |https://commits.kde.org/pla
|sma-workspace/f32002ce50edc |sma-workspace/9db872df82c25
|3891f1fa41173132c820b917d57 |8315c6ebad800af59e81ffb9212
--- Comment #6 from Marco Martin <notm...@gmail.com> ---
Git commit f32002ce50edc3891f1fa41173132c820b917d57 by Marco Martin.
Committed on 05/02/2018 at 12:35.
Pushed by mart into branch 'Plasma/5.12'.
Make sure device paths are quoted
in the case a vfat removable device has $() or `` in its label,
such as $(touch foo) the quoted command may get executed,
leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote
to make sure everything is quoted and not interpreted as a command
M +1 -1 soliduiserver/deviceserviceaction.cpp
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57
--- Comment #7 from Marco Martin <notm...@gmail.com> ---
Git commit 9db872df82c258315c6ebad800af59e81ffb9212 by Marco Martin.
Committed on 05/02/2018 at 12:12.
Pushed by mart into branch 'Plasma/5.8'.
Make sure device paths are quoted
in the case a vfat removable device has $() or `` in its label,
such as $(touch foo) the quoted command may get executed,
leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote
to make sure everything is quoted and not interpreted as a command
M +1 -1 soliduiserver/deviceserviceaction.cpp
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212
--
You are receiving this mail because:
You are watching all bug changes.
