blob: 7acec326c6b765b46ad483e07bb17a9e19cbff2d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
$NetBSD: patch-aj,v 1.3 2003/04/10 13:13:24 markd Exp $
--- kdvi/dviwin.cpp.orig Mon Mar 3 07:57:19 2003
+++ kdvi/dviwin.cpp
@@ -37,7 +37,7 @@
#include <klocale.h>
#include <kprinter.h>
#include <kprocess.h>
-
+#include <kstandarddirs.h>
#include "dviwin.h"
#include "fontpool.h"
@@ -503,6 +503,28 @@ bool dviWindow::setFile(QString fname, Q
// specials in PostScriptDirectory, and the headers in the
// PostScriptHeaderString.
PS_interface->clear();
+
+ // Files that reside under "tmp" or under the "data" resource are most
+ // likely remote files. We limit the files they are able to read to
+ // the directory they are in in order to limit the possibilities of a
+ // denial of service attack.
+ bool restrictIncludePath = true;
+ QString tmp = KGlobal::dirs()->saveLocation("tmp", QString::null);
+ if (!filename.startsWith(tmp))
+ {
+ tmp = KGlobal::dirs()->saveLocation("data", QString::null);
+ if (!filename.startsWith(tmp))
+ restrictIncludePath = false;
+ }
+
+ QString includePath;
+ if (restrictIncludePath)
+ {
+ includePath = filename;
+ includePath.truncate(includePath.findRev('/'));
+ }
+
+ PS_interface->setIncludePath(includePath);
// We will also generate a list of hyperlink-anchors in the
// document. So declare the existing list empty.
|