Skip to content

fix: remove bash -c for security hardening #1374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
18202781743 merged 1 commit into from
Dec 22, 2025
Merged

fix: remove bash -c for security hardening #1374

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 19 additions & 2 deletions applets/dde-shutdown/shutdownapplet.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,9 +82,26 @@ void ShutdownApplet::x11LockScreen()
QString originMap;

// Step 1: get current keyboard options
process.start("bash", {"-c", "/usr/bin/setxkbmap -query | grep option | awk -F ' ' '{print $2}'"});
process.start("/usr/bin/setxkbmap", QStringList() << "-query");
process.waitForFinished();
originMap = QString::fromUtf8(process.readAllStandardOutput()).trimmed();
QString output = QString::fromUtf8(process.readAllStandardOutput());
QStringList lines = output.split('\n');
for (const QString &line : lines) {
// 查找包含 "option" 的行(原 grep option 命令)
if (line.contains("option")) {
Comment on lines +89 to +91
Copy link

@sourcery-ai sourcery-ai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): Tighten the line match to avoid accidental matches on unrelated text.

line.contains("option") matches the old grep option behavior but is overly broad and could pick up unrelated text (e.g. comments or localized strings). Since setxkbmap -query has a structured output, prefer a stricter condition like line.startsWith("options:") (or similar) to ensure you only parse the intended line.

Suggested change
for (const QString &line : lines) {
// 查找包含 "option" 的行(原 grep option 命令)
if (line.contains("option")) {
for (const QString &line : lines) {
// 只匹配以 "options:" 开头的行,避免误匹配其他包含 "option" 的文本
if (line.startsWith("options:")) {

// 模拟 awk -F ' ' '{print $2}'
// 按空格分割,跳过空字符串
QStringList parts = line.split(' ', Qt::SkipEmptyParts);
if (parts.size() >= 2) {
originMap = parts[1];
// 如果第二个字段以冒号结尾,可能需要进一步处理
if (originMap.endsWith(':')) {
originMap = originMap.left(originMap.length() - 1);
}
}
break;
}
Comment on lines +91 to +103
Copy link

@sourcery-ai sourcery-ai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): The trailing-colon handling may be unnecessary and could hide real values.

In typical setxkbmap -query output, the colon belongs to the first token (e.g. options:), not the value, so parts[1] shouldn’t end with :. Unconditionally stripping a trailing colon from originMap could silently change valid values if the output format changes. Unless you’ve seen actual cases where the value ends with :, consider removing this special handling.

Suggested change
if (line.contains("option")) {
// 模拟 awk -F ' ' '{print $2}'
// 按空格分割,跳过空字符串
QStringList parts = line.split(' ', Qt::SkipEmptyParts);
if (parts.size() >= 2) {
originMap = parts[1];
// 如果第二个字段以冒号结尾,可能需要进一步处理
if (originMap.endsWith(':')) {
originMap = originMap.left(originMap.length() - 1);
}
}
break;
}
if (line.contains("option")) {
// 模拟 awk -F ' ' '{print $2}'
// 按空格分割,跳过空字符串
QStringList parts = line.split(' ', Qt::SkipEmptyParts);
if (parts.size() >= 2) {
// 直接使用第二个字段作为原始配置值,不进行额外的冒号处理
originMap = parts[1];
}
break;
}

}
Comment on lines +88 to +104
Copy link

@sourcery-ai sourcery-ai bot Dec 22, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion (bug_risk): Consider guarding against malformed output or unexpected field positions.

This parsing relies on the options value always being the second non-empty token, as in the old awk '{print $2}' usage. If setxkbmap -query output changes (extra columns, different spacing, tabs), it may silently set a wrong originMap. To make this more robust, explicitly skip the label token and join the rest, or use a regex to capture everything after options: so spacing and extra fields don’t affect the result.

Suggested change
QStringList lines = output.split('\n');
for (const QString &line : lines) {
// 查找包含 "option" 的行(原 grep option 命令)
if (line.contains("option")) {
// 模拟 awk -F ' ' '{print $2}'
// 按空格分割,跳过空字符串
QStringList parts = line.split(' ', Qt::SkipEmptyParts);
if (parts.size() >= 2) {
originMap = parts[1];
// 如果第二个字段以冒号结尾,可能需要进一步处理
if (originMap.endsWith(':')) {
originMap = originMap.left(originMap.length() - 1);
}
}
break;
}
}
QStringList lines = output.split('\n');
for (const QString &line : lines) {
// 查找以 "options:" 开头的行,避免依赖字段位置
const QString trimmed = line.trimmed();
const QString label = QStringLiteral("options:");
if (trimmed.startsWith(label)) {
// 提取 "options:" 之后的所有内容并去除首尾空白
const QString value = trimmed.mid(label.length()).trimmed();
if (!value.isEmpty()) {
originMap = value;
}
break;
}
}


// Step 2: set keyboard options to un grab
process.start("/usr/bin/setxkbmap", {"-option", "grab:break_actions"});
Expand Down