kde-plasma: Drop KDE Plasma 5.11.5

Package-Manager: Portage-2.3.38, Repoman-2.3.9

2 files changed, 0 insertions, 440 deletions

diff --git a/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6790.patch b/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6790.patch
deleted file mode 100644
index b424e397a802..000000000000
--- a/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6790.patch
+++ /dev/null
@@ -1,409 +0,0 @@
-From f1e9a1c458ea44e9169c7e79b90a57fb7c65135f Mon Sep 17 00:00:00 2001
-From: David Edmundson <kde@davidedmundson.co.uk>
-Date: Wed, 31 Jan 2018 14:28:17 +0000
-Subject: [PATCH 1/2] Sanitise notification HTML
-
-Summary:
-Qt labels support a HTML subset, using a completely internal parser in
-QTextDocument.
-
-The Notification spec support an even smaller subset of notification
-elements.
-
-It's important to strip out irrelevant tags that could potentially load
-remote information without user interaction, such as img
-src or even <b style="background:url...
-
-But we want to maintain the basic rich text formatting of bold and
-italics and links.
-
-This parser iterates reads the XML, copying only permissable tags and
-attributes.
-
-A future obvious improvement would be to merge the original regular
-expressions into this stream parser, but I'm trying to minimise
-breakages to get this into 5.12.
-
-Test Plan:
-Moved code into it's own class for easy unit testing
-Tried a bunch of things, including what the old regexes were doing
-
-Also ran notify send with a few options to make sure things worked
-
-Reviewers: #plasma, fvogt
-
-Reviewed By: fvogt
-
-Subscribers: aacid, fvogt, plasma-devel
-
-Tags: #plasma
-
-Differential Revision: https://phabricator.kde.org/D10188
----
- dataengines/notifications/CMakeLists.txt           |   8 ++
- dataengines/notifications/notifications_test.cpp   |  68 +++++++++++++
- .../notifications/notificationsanitizer.cpp        | 106 +++++++++++++++++++++
- dataengines/notifications/notificationsanitizer.h  |  35 +++++++
- dataengines/notifications/notificationsengine.cpp  |  19 +---
- 5 files changed, 219 insertions(+), 17 deletions(-)
- create mode 100644 dataengines/notifications/notifications_test.cpp
- create mode 100644 dataengines/notifications/notificationsanitizer.cpp
- create mode 100644 dataengines/notifications/notificationsanitizer.h
-
-diff --git a/dataengines/notifications/CMakeLists.txt b/dataengines/notifications/CMakeLists.txt
-index 4fd3ee76..ad6e2120 100644
---- a/dataengines/notifications/CMakeLists.txt
-+++ b/dataengines/notifications/CMakeLists.txt
-@@ -4,6 +4,7 @@ set(notifications_engine_SRCS
-     notificationsengine.cpp
-     notificationservice.cpp
-     notificationaction.cpp
-+    notificationsanitizer.cpp
- )
- 
- qt5_add_dbus_adaptor( notifications_engine_SRCS org.freedesktop.Notifications.xml notificationsengine.h  NotificationsEngine )
-@@ -26,3 +27,10 @@ kcoreaddons_desktop_to_json(plasma_engine_notifications plasma-dataengine-notifi
- install(TARGETS plasma_engine_notifications DESTINATION ${KDE_INSTALL_PLUGINDIR}/plasma/dataengine)
- install(FILES plasma-dataengine-notifications.desktop DESTINATION ${KDE_INSTALL_KSERVICES5DIR} )
- install(FILES notifications.operations DESTINATION ${PLASMA_DATA_INSTALL_DIR}/services)
-+
-+
-+#unit test
-+
-+add_executable(notification_test  notificationsanitizer.cpp notifications_test.cpp)
-+target_link_libraries(notification_test Qt5::Test Qt5::Core)
-+ecm_mark_as_test(notification_test)
-diff --git a/dataengines/notifications/notifications_test.cpp b/dataengines/notifications/notifications_test.cpp
-new file mode 100644
-index 00000000..58399746
---- /dev/null
-+++ b/dataengines/notifications/notifications_test.cpp
-@@ -0,0 +1,68 @@
-+#include <QtTest>
-+#include <QObject>
-+#include <QDebug>
-+#include "notificationsanitizer.h"
-+
-+class NotificationTest : public QObject
-+{
-+    Q_OBJECT
-+public:
-+    NotificationTest() {}
-+private Q_SLOTS:
-+    void parse_data();
-+    void parse();
-+};
-+
-+void NotificationTest::parse_data()
-+{
-+    QTest::addColumn<QString>("messageIn");
-+    QTest::addColumn<QString>("expectedOut");
-+
-+    QTest::newRow("basic no HTML") << "I am a notification" << "I am a notification";
-+    QTest::newRow("whitespace") << "      I am a   notification  " << "I am a notification";
-+
-+    QTest::newRow("basic html") << "I am <b>the</b> notification" << "I am <b>the</b> notification";
-+    QTest::newRow("nested html") << "I am <i><b>the</b></i> notification" << "I am <i><b>the</b></i> notification";
-+
-+    QTest::newRow("no extra tags") << "I am <blink>the</blink> notification" << "I am the notification";
-+    QTest::newRow("no extra attrs") << "I am <b style=\"font-weight:20\">the</b> notification" << "I am <b>the</b> notification";
-+
-+    QTest::newRow("newlines") << "I am\nthe\nnotification" << "I am<br/>the<br/>notification";
-+    QTest::newRow("multinewlines") << "I am\n\nthe\n\n\nnotification" << "I am<br/>the<br/>notification";
-+
-+    QTest::newRow("amp") << "me&you" << "me&amp;you";
-+    QTest::newRow("double escape") << "foo &amp; &lt;bar&gt;" << "foo &amp; &lt;bar&gt;";
-+
-+    QTest::newRow("quotes") << "&apos;foo&apos;" << "'foo'";//as label can't handle this normally valid entity
-+
-+    QTest::newRow("image normal") << "This is <img src=\"file:://foo/boo.png\" alt=\"cheese\"/> and more text" << "This is <img src=\"file:://foo/boo.png\" alt=\"cheese\"/> and more text";
-+
-+    //this input is technically wrong, so the output is also wrong, but QTextHtmlParser does the "right" thing
-+    QTest::newRow("image normal no close") << "This is <img src=\"file:://foo/boo.png\" alt=\"cheese\"> and more text" << "This is <img src=\"file:://foo/boo.png\" alt=\"cheese\"> and more text</img>";
-+
-+    QTest::newRow("image remote URL") << "This is <img src=\"http://foo.com/boo.png\" alt=\"cheese\" /> and more text" << "This is <img alt=\"cheese\"/> and more text";
-+
-+    //more bad formatted options. To some extent actual output doesn't matter. Garbage in, garbabe out.
-+    //the important thing is that it doesn't contain anything that could be parsed as the remote URL
-+    QTest::newRow("image remote URL no close") << "This is <img src=\"http://foo.com/boo.png>\" alt=\"cheese\">  and more text" << "This is <img alt=\"cheese\"> and more text</img>";
-+    QTest::newRow("image remote URL double open") << "This is <<img src=\"http://foo.com/boo.png>\"  and more text" << "This is ";
-+    QTest::newRow("image remote URL no entitiy close") << "This is <img src=\"http://foo.com/boo.png\"  and more text" << "This is ";
-+    QTest::newRow("image remote URL space in element name") << "This is < img src=\"http://foo.com/boo.png\" alt=\"cheese\" /> and more text" << "This is ";
-+
-+    QTest::newRow("link") << "This is a link <a href=\"http://foo.com/boo\"/> and more text" << "This is a link <a href=\"http://foo.com/boo\"/> and more text";
-+}
-+
-+void NotificationTest::parse()
-+{
-+    QFETCH(QString, messageIn);
-+    QFETCH(QString, expectedOut);
-+
-+    const QString out = NotificationSanitizer::parse(messageIn);
-+    expectedOut = "<?xml version=\"1.0\"?><html>"  + expectedOut + "</html>\n";
-+    QCOMPARE(out, expectedOut);
-+}
-+
-+
-+QTEST_GUILESS_MAIN(NotificationTest)
-+
-+#include "notifications_test.moc"
-diff --git a/dataengines/notifications/notificationsanitizer.cpp b/dataengines/notifications/notificationsanitizer.cpp
-new file mode 100644
-index 00000000..5410132c
---- /dev/null
-+++ b/dataengines/notifications/notificationsanitizer.cpp
-@@ -0,0 +1,106 @@
-+/*
-+ *   Copyright (C) 2017 David Edmundson <davidedmundson@kde.org>
-+ *
-+ * This program is free software you can redistribute it and/or
-+ * modify it under the terms of the GNU Library General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2 of the License, or (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * Library General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Library General Public License
-+ * along with this library; see the file COPYING.LIB.  If not, write to
-+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-+ * Boston, MA 02110-1301, USA.
-+*/
-+
-+#include "notificationsanitizer.h"
-+
-+#include <QXmlStreamReader>
-+#include <QXmlStreamWriter>
-+#include <QRegularExpression>
-+#include <QDebug>
-+#include <QUrl>
-+
-+QString NotificationSanitizer::parse(const QString &text)
-+{
-+    // replace all \ns with <br/>
-+    QString t = text;
-+
-+    t.replace(QLatin1String("\n"), QStringLiteral("<br/>"));
-+    // Now remove all inner whitespace (\ns are already <br/>s)
-+    t = t.simplified();
-+    // Finally, check if we don't have multiple <br/>s following,
-+    // can happen for example when "\n       \n" is sent, this replaces
-+    // all <br/>s in succsession with just one
-+    t.replace(QRegularExpression(QStringLiteral("<br/>\\s*<br/>(\\s|<br/>)*")), QLatin1String("<br/>"));
-+    // This fancy RegExp escapes every occurence of & since QtQuick Text will blatantly cut off
-+    // text where it finds a stray ampersand.
-+    // Only &{apos, quot, gt, lt, amp}; as well as &#123 character references will be allowed
-+    t.replace(QRegularExpression(QStringLiteral("&(?!(?:apos|quot|[gl]t|amp);|#)")), QLatin1String("&amp;"));
-+
-+    QXmlStreamReader r(QStringLiteral("<html>") + t + QStringLiteral("</html>"));
-+    QString result;
-+    QXmlStreamWriter out(&result);
-+
-+    const QVector<QString> allowedTags = {"b", "i", "u", "img", "a", "html", "br"};
-+
-+    out.writeStartDocument();
-+    while (!r.atEnd()) {
-+        r.readNext();
-+
-+        if (r.tokenType() == QXmlStreamReader::StartElement) {
-+            const QString name = r.name().toString();
-+            if (!allowedTags.contains(name)) {
-+                continue;
-+            }
-+            out.writeStartElement(name);
-+            if (name == QLatin1String("img")) {
-+                auto src = r.attributes().value("src").toString();
-+                auto alt = r.attributes().value("alt").toString();
-+
-+                const QUrl url(src);
-+                if (url.isLocalFile()) {
-+                    out.writeAttribute(QStringLiteral("src"), src);
-+                } else {
-+                    //image denied for security reasons! Do not copy the image src here!
-+                }
-+
-+                out.writeAttribute(QStringLiteral("alt"), alt);
-+            }
-+            if (name == QLatin1String("a")) {
-+                out.writeAttribute(QStringLiteral("href"), r.attributes().value("href").toString());
-+            }
-+        }
-+
-+        if (r.tokenType() == QXmlStreamReader::EndElement) {
-+            const QString name = r.name().toString();
-+            if (!allowedTags.contains(name)) {
-+                continue;
-+            }
-+            out.writeEndElement();
-+        }
-+
-+        if (r.tokenType() == QXmlStreamReader::Characters) {
-+            const auto text = r.text().toString();
-+            out.writeCharacters(text); //this auto escapes chars -> HTML entities
-+        }
-+    }
-+    out.writeEndDocument();
-+
-+    if (r.hasError()) {
-+        qWarning() << "Notification to send to backend contains invalid XML: "
-+                      << r.errorString() << "line" << r.lineNumber()
-+                      << "col" << r.columnNumber();
-+    }
-+
-+    // The Text.StyledText format handles only html3.2 stuff and &apos; is html4 stuff
-+    // so we need to replace it here otherwise it will not render at all.
-+    result = result.replace(QLatin1String("&apos;"), QChar('\''));
-+
-+
-+    return result;
-+}
-diff --git a/dataengines/notifications/notificationsanitizer.h b/dataengines/notifications/notificationsanitizer.h
-new file mode 100644
-index 00000000..561a84b7
---- /dev/null
-+++ b/dataengines/notifications/notificationsanitizer.h
-@@ -0,0 +1,35 @@
-+/*
-+ *   Copyright (C) 2017 David Edmundson <davidedmundson@kde.org>
-+ *
-+ * This program is free software you can redistribute it and/or
-+ * modify it under the terms of the GNU Library General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2 of the License, or (at your option) any later version.
-+ *
-+ * This program is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * Library General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Library General Public License
-+ * along with this library; see the file COPYING.LIB.  If not, write to
-+ * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-+ * Boston, MA 02110-1301, USA.
-+*/
-+
-+#include <QString>
-+
-+namespace NotificationSanitizer
-+{
-+    /*
-+     * This turns generic random text of either plain text of any degree of faux-HTML into HTML allowed
-+     * in the notification spec namely:
-+     * a, img, b, i, u  and br
-+     * All other tags and attributes are stripped
-+     * Whitespace is stripped and converted to <br/>
-+     * Double newlines are compressed
-+     *
-+     * Image src is only copied when referring to a local file
-+     */
-+    QString parse(const QString &in);
-+}
-diff --git a/dataengines/notifications/notificationsengine.cpp b/dataengines/notifications/notificationsengine.cpp
-index 72338aeb..caf310e5 100644
---- a/dataengines/notifications/notificationsengine.cpp
-+++ b/dataengines/notifications/notificationsengine.cpp
-@@ -20,6 +20,7 @@
- #include "notificationsengine.h"
- #include "notificationservice.h"
- #include "notificationsadaptor.h"
-+#include "notificationsanitizer.h"
- 
- #include <QDebug>
- #include <KConfigGroup>
-@@ -281,23 +282,7 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id,
- 
-     const QString source = QStringLiteral("notification %1").arg(id);
- 
--    // First trim whitespace from beginning and end
--    bodyFinal = bodyFinal.trimmed();
--    // Now replace all \ns with <br/>
--    bodyFinal = bodyFinal.replace(QLatin1String("\n"), QLatin1String("<br/>"));
--    // Now remove all inner whitespace (\ns are already <br/>s
--    bodyFinal = bodyFinal.simplified();
--    // Finally, check if we don't have multiple <br/>s following,
--    // can happen for example when "\n       \n" is sent, this replaces
--    // all <br/>s in succsession with just one
--    bodyFinal.replace(QRegularExpression(QStringLiteral("<br/>\\s*<br/>(\\s|<br/>)*")), QLatin1String("<br/>"));
--    // This fancy RegExp escapes every occurence of & since QtQuick Text will blatantly cut off
--    // text where it finds a stray ampersand.
--    // Only &{apos, quot, gt, lt, amp}; as well as &#123 character references will be allowed
--    bodyFinal.replace(QRegularExpression(QStringLiteral("&(?!(?:apos|quot|[gl]t|amp);|#)")), QLatin1String("&amp;"));
--    // The Text.StyledText format handles only html3.2 stuff and &apos; is html4 stuff
--    // so we need to replace it here otherwise it will not render at all.
--    bodyFinal.replace(QLatin1String("&apos;"), QChar('\''));
-+    bodyFinal = NotificationSanitizer::parse(bodyFinal);
- 
-     Plasma::DataEngine::Data notificationData;
-     notificationData.insert(QStringLiteral("id"), QString::number(id));
--- 
-2.13.6
-
-From cb791b571aed1ea6976e0a6906df3e35dea657ef Mon Sep 17 00:00:00 2001
-From: Kai Uwe Broulik <kde@privat.broulik.de>
-Date: Mon, 5 Feb 2018 13:53:17 +0100
-Subject: [PATCH 2/2] [Notifications] Fix grouping
-
-Sanitize the body before doing anything else.
-Cleanup grouping logic.
-
-Differential Revision: https://phabricator.kde.org/D10315
----
- dataengines/notifications/notificationsengine.cpp | 18 ++++++++----------
- 1 file changed, 8 insertions(+), 10 deletions(-)
-
-diff --git a/dataengines/notifications/notificationsengine.cpp b/dataengines/notifications/notificationsengine.cpp
-index caf310e5..bc48deed 100644
---- a/dataengines/notifications/notificationsengine.cpp
-+++ b/dataengines/notifications/notificationsengine.cpp
-@@ -217,7 +217,7 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id,
-     qDebug() << "Currrent active notifications:" << m_activeNotifications;
-     qDebug() << "Guessing partOf as:" << partOf;
-     qDebug() << " New Notification: " << summary << body << timeout << "& Part of:" << partOf;
--    QString bodyFinal = body;
-+    QString bodyFinal = NotificationSanitizer::parse(body);
-     QString summaryFinal = summary;
- 
-     if (partOf > 0) {
-@@ -225,13 +225,13 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id,
-         Plasma::DataContainer *container = containerForSource(source);
-         if (container) {
-             // append the body text
--            QString _body = container->data()[QStringLiteral("body")].toString();
--            if (_body != body) {
--                _body.append("\n").append(body);
--            } else {
--                _body = body;
-+            const QString previousBody = container->data()[QStringLiteral("body")].toString();
-+            if (previousBody != bodyFinal) {
-+                // FIXME: This will just append the entire old XML document to another one, leading to:
-+                // <?xml><html>old</html><br><?xml><html>new</html>
-+                // It works but is not very clean.
-+                bodyFinal = previousBody + QStringLiteral("<br/>") + bodyFinal;
-             }
--            bodyFinal = _body;
- 
-             replaces_id = partOf;
- 
-@@ -267,7 +267,7 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id,
- 
-     const int AVERAGE_WORD_LENGTH = 6;
-     const int WORD_PER_MINUTE = 250;
--    int count = summary.length() + body.length();
-+    int count = summary.length() + body.length() - strlen("<?xml version=\"1.0\"><html></html>");
- 
-     // -1 is "server default", 0 is persistent with "server default" display time,
-     // anything more should honor the setting
-@@ -282,8 +282,6 @@ uint NotificationsEngine::Notify(const QString &app_name, uint replaces_id,
- 
-     const QString source = QStringLiteral("notification %1").arg(id);
- 
--    bodyFinal = NotificationSanitizer::parse(bodyFinal);
--
-     Plasma::DataEngine::Data notificationData;
-     notificationData.insert(QStringLiteral("id"), QString::number(id));
-     notificationData.insert(QStringLiteral("eventId"), eventId);
--- 
-2.13.6
-
diff --git a/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6791.patch b/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6791.patch
deleted file mode 100644
index 621687c59d24..000000000000
--- a/kde-plasma/plasma-workspace/files/plasma-workspace-5.11.5-CVE-2018-6791.patch
+++ /dev/null
@@ -1,31 +0,0 @@
-From f32002ce50edc3891f1fa41173132c820b917d57 Mon Sep 17 00:00:00 2001
-From: Marco Martin <notmart@gmail.com>
-Date: Mon, 5 Feb 2018 13:12:51 +0100
-Subject: [PATCH] Make sure device paths are quoted
-
-in the case a vfat removable device has $() or `` in its label,
-such as $(touch foo) the quoted command may get executed,
-leaving an attack vector. Use KMacroExpander::expandMacrosShellQuote
-to make sure everything is quoted and not interpreted as a command
-
-BUG:389815
----
- soliduiserver/deviceserviceaction.cpp | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/soliduiserver/deviceserviceaction.cpp b/soliduiserver/deviceserviceaction.cpp
-index f49c967a..738b27c8 100644
---- a/soliduiserver/deviceserviceaction.cpp
-+++ b/soliduiserver/deviceserviceaction.cpp
-@@ -158,7 +158,7 @@ void DelayedExecutor::delayedExecute(const QString &udi)
- 
-     QString exec = m_service.exec();
-     MacroExpander mx(device);
--    mx.expandMacros(exec);
-+    mx.expandMacrosShellQuote(exec);
- 
-     KRun::runCommand(exec, QString(), m_service.icon(), 0);
-     deleteLater();
--- 
-2.13.6
-