<html> <head> <base href="https://bugs.freedesktop.org/"> </head> <body><table border="1" cellspacing="0" cellpadding="8"> <tr> <th>Bug ID</th> <td><a class="bz_bug_link bz_status_NEW " title="NEW - RFE: insecure use of $KDE_SESSION_VERSION" href="https://bugs.freedesktop.org/show_bug.cgi?id=96730">96730</a> </td> </tr> <tr> <th>Summary</th> <td>RFE: insecure use of $KDE_SESSION_VERSION </td> </tr> <tr> <th>Product</th> <td>Portland </td> </tr> <tr> <th>Version</th> <td>unspecified </td> </tr> <tr> <th>Hardware</th> <td>Other </td> </tr> <tr> <th>OS</th> <td>All </td> </tr> <tr> <th>Status</th> <td>NEW </td> </tr> <tr> <th>Severity</th> <td>normal </td> </tr> <tr> <th>Priority</th> <td>medium </td> </tr> <tr> <th>Component</th> <td>xdg-utils </td> </tr> <tr> <th>Assignee</th> <td>portland-bugs@lists.freedesktop.org </td> </tr> <tr> <th>Reporter</th> <td>rdieter@math.unl.edu </td> </tr></table> <p> <div> <pre>Seems xdg-util's use of $KDE_SESSION_VERSION is (potentially) insecure. See also <a class="bz_bug_link bz_status_NEW " title="NEW - pkexec forwards too few environment variables" href="show_bug.cgi?id=96713#c3">https://bugs.freedesktop.org/show_bug.cgi?id=96713#c3</a> Could consider probing for kde/plasma similar to how gnome3 is done, via dbus, candidates include: plasma5: qdbus org.kde.plasmashell /MainApplication org.qtproject.QtQCoreApplication.applicationVersion matches string "5.*" plasma4: qdbus org.kde.plasma-desktop /MainApplication org.qtproject.Qt.QCoreApplication.applicationName matches string "plasma-desktop"</pre> </div> </p> <hr> <span>You are receiving this mail because:</span> <ul> <li>You are the assignee for the bug.</li> </ul> </body> </html>