Index: dviwin.cpp
===================================================================
RCS file: /home/kde/kdegraphics/kdvi/dviwin.cpp,v
retrieving revision 1.123.2.3
diff -u -r1.123.2.3 dviwin.cpp
--- dviwin.cpp  13 Feb 2003 20:03:39 -0000      1.123.2.3
+++ dviwin.cpp  7 Apr 2003 19:43:39 -0000
@@ -37,7 +37,7 @@
#include <klocale.h>
#include <kprinter.h>
#include <kprocess.h>
-
+#include <kstandarddirs.h>

#include "dviwin.h"
#include "fontpool.h"
@@ -503,6 +503,28 @@
  // specials in PostScriptDirectory, and the headers in the
  // PostScriptHeaderString.
  PS_interface->clear();
+
+  // Files that reside under "tmp" or under the "data" resource are most
+  // likely remote files. We limit the files they are able to read to
+  // the directory they are in in order to limit the possibilities of a
+  // denial of service attack.
+  bool restrictIncludePath = true;
+  QString tmp = KGlobal::dirs()->saveLocation("tmp", QString::null);
+  if (!filename.startsWith(tmp))
+  {
+     tmp = KGlobal::dirs()->saveLocation("data", QString::null);
+     if (!filename.startsWith(tmp))
+        restrictIncludePath = false;
+  }
+
+  QString includePath;
+  if (restrictIncludePath)
+  {
+     includePath = filename;
+     includePath.truncate(includePath.findRev('/'));
+  }
+
+  PS_interface->setIncludePath(includePath);

  // We will also generate a list of hyperlink-anchors in the
  // document. So declare the existing list empty.
Index: psgs.cpp
===================================================================
RCS file: /home/kde/kdegraphics/kdvi/psgs.cpp,v
retrieving revision 1.16
diff -u -r1.16 psgs.cpp
--- psgs.cpp    31 Jul 2002 16:39:39 -0000      1.16
+++ psgs.cpp    7 Apr 2003 19:43:39 -0000
@@ -59,6 +59,12 @@
  DiskCache->clear();
}

+void ghostscript_interface::setIncludePath(const QString &_includePath) {
+  if (_includePath.isEmpty())
+     includePath = "*"; // Allow all files
+  else
+     includePath = _includePath+"/*";
+}

void ghostscript_interface::setPostScript(int page, QString PostScript) {
  pageInfo *info = new pageInfo(PostScript);
@@ -125,11 +131,13 @@
  // Step 2: Call GS with the File
  KProcess proc;
  proc << "gs";
-  proc << "-dNOPAUSE" << "-dBATCH" << "-sDEVICE=png256";
+  proc << "-dSAFER" << "-dPARANOIDSAFER" << "-dDELAYSAFER" << "-dNOPAUSE" << "-dBATCH" << "-sDEVICE=png256";
  proc << QString("-sOutputFile=%1").arg(filename);
+  proc << QString("-sExtraIncludePath=%1").arg(includePath);
  proc << QString("-g%1x%2").arg(pixel_page_w).arg(pixel_page_h); // page size in pixels
  proc << QString("-r%1").arg(resolution);                       // resolution in dpi
-  proc << PSfile.name();
+  proc << "-c" << "<< /PermitFileReading [ ExtraIncludePath ] /PermitFileWriting [] /PermitFileControl [] >> setuserparams .locksafe";
+  proc << "-f" << PSfile.name();
  proc.start(KProcess::Block);
  PSfile.unlink();
  emit(setStatusBarText(QString::null));
Index: psgs.h
===================================================================
RCS file: /home/kde/kdegraphics/kdvi/psgs.h,v
retrieving revision 1.4
diff -u -r1.4 psgs.h
--- psgs.h      31 Jul 2002 16:39:39 -0000      1.4
+++ psgs.h      7 Apr 2003 19:43:39 -0000
@@ -42,6 +42,9 @@
  //
  void setPostScript(int page, QString PostScript);

+  // sets path from additional postscript files may be read
+  void setIncludePath(const QString &_includePath);
+
  // Returns the graphics of the page, if possible. The functions
  // returns a pointer to a QPixmap, or null. The referred QPixmap
  // should be deleted after use.
@@ -64,6 +67,8 @@
  double                resolution;    // in dots per inch
  int                   pixel_page_w; // in pixels
  int                   pixel_page_h; // in pixels
+
+  QString               includePath;

signals:
  /** Passed through to the top-level kpart. */

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.