Pullup ticket 474 - requested by Mark Davies

security fix for kdewebdev3

Patch provided by the submitter.

   Module Name:		pkgsrc
   Committed By:	drochner
   Date:		Tue Apr 26 19:01:28 UTC 2005

   Modified Files:
   	pkgsrc/www/kdewebdev3: Makefile distinfo
   Added Files:
   	pkgsrc/www/kdewebdev3/patches: patch-ab

   Log Message:
   add a patch from KDE:
   http://www.kde.org/info/security/advisory-20050420-1.txt
   to fix untrusted code execution (CAN-2005-0754)
   bump PKGREVISION

3 files changed, 44 insertions, 2 deletions

diff --git a/www/kdewebdev3/Makefile b/www/kdewebdev3/Makefile
index ac7a127747d..f7580247693 100644
--- a/www/kdewebdev3/Makefile
+++ b/www/kdewebdev3/Makefile
@@ -1,6 +1,7 @@
-# $NetBSD: Makefile,v 1.4 2004/12/10 06:07:49 markd Exp $
+# $NetBSD: Makefile,v 1.4.4.1 2005/05/01 17:36:58 salo Exp $
 
 DISTNAME=	kdewebdev-${_KDE_VERSION}
+PKGREVISION=	1
 CATEGORIES=	www
 COMMENT= 	HTML editor and tools suitable for experienced web developers
 
diff --git a/www/kdewebdev3/distinfo b/www/kdewebdev3/distinfo
index 5bcd74f03e2..90082306cb2 100644
--- a/www/kdewebdev3/distinfo
+++ b/www/kdewebdev3/distinfo
@@ -1,6 +1,7 @@
-$NetBSD: distinfo,v 1.4 2005/02/24 14:08:33 wiz Exp $
+$NetBSD: distinfo,v 1.4.2.1 2005/05/01 17:36:58 salo Exp $
 
 SHA1 (kdewebdev-3.3.2.tar.bz2) = 9046409534d1ebd9bd692a02cc1b5a5c259cfe63
 RMD160 (kdewebdev-3.3.2.tar.bz2) = 2187fce40c3d31f49f88906a447f218c1b322259
 Size (kdewebdev-3.3.2.tar.bz2) = 4797649 bytes
 SHA1 (patch-aa) = 9268bdb93739a1b4b9dc7cb2d03acd860c05788f
+SHA1 (patch-ab) = 35c20f0769da688f0ba7e0d104783854701fd0bd
diff --git a/www/kdewebdev3/patches/patch-ab b/www/kdewebdev3/patches/patch-ab
new file mode 100644
index 00000000000..67dfbcbea33
--- /dev/null
+++ b/www/kdewebdev3/patches/patch-ab
@@ -0,0 +1,40 @@
+$NetBSD: patch-ab,v 1.1.2.1 2005/05/01 17:36:58 salo Exp $
+
+--- kommander/executor/instance.cpp.orig	2004-08-05 21:28:57.000000000 +0200
++++ kommander/executor/instance.cpp	2005-05-01 07:14:52.000000000 +0200
+@@ -131,6 +131,35 @@
+ 
+ bool Instance::run(QFile *a_file)
+ {
++  // Check whether extension is *.kmdr
++  if (!m_uiFileName.fileName().endsWith(".kmdr")) {
++    KMessageBox::error(0, i18n("<qt>This file does not have a <b>.kmdr</b> extension. As a security precaution "
++           "Kommander will only run Kommander scripts with a clear identity.</qt>"),
++           i18n("Wrong Extension"));
++    return false;
++  }
++
++  // Check whether file is not in some temporary directory.
++  QStringList tmpDirs = KGlobal::dirs()->resourceDirs("tmp");
++  tmpDirs += KGlobal::dirs()->resourceDirs("cache");
++  tmpDirs.append("/tmp/");
++  tmpDirs.append("/var/tmp/");
++
++  bool inTemp = false;
++  for (QStringList::ConstIterator I = tmpDirs.begin(); I != tmpDirs.end(); ++I)
++    if (m_uiFileName.directory().startsWith(*I))
++      inTemp = true;
++
++  if (inTemp)
++  {
++     if (KMessageBox::warningYesNo(0, i18n("<qt>This dialog is running from your <i>/tmp</i> directory. "
++         " This may mean that it was run from a KMail attachment or from a webpage. "
++         "<p>Any script contained in this dialog will have write access to all of your home directory; "
++         "<b>running such dialogs may be dangerous: </b>"
++         "<p>are you sure you want to continue?</qt>")) == KMessageBox::No)
++       return false;
++  }
++
+   /* add runtime arguments */
+   if (m_cmdArguments) {
+     QString args;