From f32002ce50edc3891f1fa41173132c820b917d57 Mon Sep 17 00:00:00 2001
From: Marco Martin <notmart@gmail.com>
Date: Mon, 5 Feb 2018 13:12:51 +0100
Subject: Make sure device paths are quoted

in the case a vfat removable device has $() or `` in its label,
such as $(touch foo) the quoted command may get executed,
leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote
to make sure everything is quoted and not interpreted as a command

BUG:389815
---
 soliduiserver/deviceserviceaction.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/soliduiserver/deviceserviceaction.cpp b/soliduiserver/deviceserviceaction.cpp
index f49c967..738b27c 100644
--- a/soliduiserver/deviceserviceaction.cpp
+++ b/soliduiserver/deviceserviceaction.cpp
@@ -158,7 +158,7 @@ void DelayedExecutor::delayedExecute(const QString &udi)
 
     QString exec = m_service.exec();
     MacroExpander mx(device);
-    mx.expandMacros(exec);
+    mx.expandMacrosShellQuote(exec);
 
     KRun::runCommand(exec, QString(), m_service.icon(), 0);
     deleteLater();
-- 
cgit v0.11.2