Re: Blackbox Controls the Background

Fri, 02 Mar 2001 18:17:38 -0800 

> Maybe the rootCommand can be disabled and a new directive (component?)
> called "rootImage" that defines an image filename. This is could be used
> by a new .blackboxrc resource file configuration "ImageCommand" which
> defaults to bsetbg. Or it can be defined as:
> ImageCommand: xv -root -quit
> or Esetroot, xsetbg, display, wmsetbg, ...

The patch below adds two configuration options for blackboxrc and one
extra style configuration.

RESOURCE FILE
rootCommandApp:
        This defines the program to set the root image.
        It defaults to "bsetbg -full".

allowRootCommand:
        This can be set to "False" so a style's RootCommand
        will not be executed. It defaults to "True".

STYLES
rootImage:              Full path to an image file, e.g. /home/bob/family.jpg

My style file has
rootCommand:                    bsetbg -full /home/reed/images/success/bbc013.jpg ; rm 
/tmp/TEST1
rootImage:                      /home/reed/images/success/birdcelt.jpg

My ~/blackboxrc has
rootCommandApp: xv -root -rmode 5 -quit -smooth -maxpect
allowRootCommand:       False

In addition, the code makes sure that the image filename doesn't contain
a semicolon, back-tick or a pipe.

RootCommand (if enabled) will run even if the RootImage was defined and
used.

This patch is useful so you can disable your RootCommand capabilities and
so Theme (style) designers can add an optional "RootImage" if the
RootCommand is disabled.

Please share your comments.

- Jeremy C. Reed

diff -uP blackbox-0.61.1-orig/src/Makefile.am blackbox-0.61.1/src/Makefile.am
diff -uP blackbox-0.61.1-orig/src/Makefile.am blackbox-0.61.1/src/Makefile.am
--- blackbox-0.61.1-orig/src/Makefile.am        Wed Jul 26 07:55:14 2000
+++ blackbox-0.61.1/src/Makefile.am     Fri Mar  2 18:04:39 2001
@@ -21,12 +21,15 @@
 
 DEFAULT_MENU=$(pkgdatadir)/menu
 DEFAULT_STYLE=$(pkgdatadir)/styles/Results
+# 02/Mar/2001 reed
+DEFAULT_ROOTCOMMANDAPP="bsetbg -full"
 
 CPPFLAGS= @CPPFLAGS@ @SHAPE@ @SLIT@ @INTERLACE@ @ORDEREDPSEUDO@ \
 @DEBUG@ @NEWWMSPEC@ @NLS@ @TIMEDCACHE@ \
 -DLOCALEPATH=\"$(pkgdatadir)/nls\" \
 -DDEFAULTMENU=\"$(DEFAULT_MENU)\" \
 -DDEFAULTSTYLE=\"$(DEFAULT_STYLE)\"
+-DDEFAULTROOTCOMMANDAPP=\"$(DEFAULT_ROOTCOMMANDAPP)\"
 
 bin_PROGRAMS= blackbox
 
diff -uP blackbox-0.61.1-orig/src/Makefile.in blackbox-0.61.1/src/Makefile.in
--- blackbox-0.61.1-orig/src/Makefile.in        Sun Oct  8 21:16:58 2000
+++ blackbox-0.61.1/src/Makefile.in     Fri Mar  2 18:04:55 2001
@@ -97,8 +97,10 @@
 
 DEFAULT_MENU = $(pkgdatadir)/menu
 DEFAULT_STYLE = $(pkgdatadir)/styles/Results
+# 02/Mar/2001 reed
+DEFAULT_ROOTCOMMANDAPP = "bsetbg -full"
 
-CPPFLAGS = @CPPFLAGS@ @SHAPE@ @SLIT@ @INTERLACE@ @ORDEREDPSEUDO@ @DEBUG@ @NEWWMSPEC@ 
@NLS@ @TIMEDCACHE@ -DLOCALEPATH=\"$(pkgdatadir)/nls\" 
-DDEFAULTMENU=\"$(DEFAULT_MENU)\" -DDEFAULTSTYLE=\"$(DEFAULT_STYLE)\"
+CPPFLAGS = @CPPFLAGS@ @SHAPE@ @SLIT@ @INTERLACE@ @ORDEREDPSEUDO@ @DEBUG@ @NEWWMSPEC@ 
+@NLS@ @TIMEDCACHE@ -DLOCALEPATH=\"$(pkgdatadir)/nls\" 
+-DDEFAULTMENU=\"$(DEFAULT_MENU)\" -DDEFAULTSTYLE=\"$(DEFAULT_STYLE)\" 
+-DDEFAULTROOTCOMMANDAPP=\"$(DEFAULT_ROOTCOMMANDAPP)\"
 
 
 bin_PROGRAMS = blackbox
diff -uP blackbox-0.61.1-orig/src/Screen.cc blackbox-0.61.1/src/Screen.cc
--- blackbox-0.61.1-orig/src/Screen.cc  Thu Oct  5 19:01:12 2000
+++ blackbox-0.61.1/src/Screen.cc       Fri Mar  2 18:04:17 2001
@@ -1337,9 +1337,47 @@
   } else
     resource.frame_width = resource.bevel_width;
 
+// 02/Mar/2001 reed - rootImage defines an image filename
   if (XrmGetResource(resource.stylerc,
+                     "rootImage",
+                     "RootImage", &value_type, &value)) {
+    char displaystring[MAXPATHLEN];
+    int okay;
+// 02/Mar/2001 reed - this is wrong, imagecommand will hold
+//                    the command to run and the filename
+    char imagecommand[MAXPATHLEN];
+
+// before doing anything with this filename, make sure it is safe
+
+    okay = 1;
+    if (strchr(value.addr, '`')) okay = 0;
+    else if (strchr(value.addr, '|')) okay = 0;
+    else if (strchr(value.addr, ';')) okay = 0;
+// maybe it should check for others?
+
+    if (okay) {
+      sprintf(displaystring, "DISPLAY=%s",
+             DisplayString(getBaseDisplay()->getXDisplay()));
+      sprintf(displaystring + strlen(displaystring) - 1, "%d",
+             getScreenNumber());
+// 02/Mar/2001 reed - bsetbg should be the default, but not hardcoded here
+      snprintf(imagecommand, MAXPATHLEN, "%s %s",
+               blackbox->getRootCommandApp(), value.addr);
+#ifndef    __EMX__
+      bexec(imagecommand, displaystring);
+#else //   __EMX__
+      spawnlp(P_NOWAIT, "cmd.exe", "cmd.exe", "/c", imagecommand, NULL);
+#endif // !__EMX__
+    }
+// else maybe this should log about the problem
+  }
+
+// Even if RootImage is used above, the root image may be changed here
+
+  if ((XrmGetResource(resource.stylerc,
                      "rootCommand",
-                     "RootCommand", &value_type, &value)) {
+                     "RootCommand", &value_type, &value)) &&
+      (blackbox->getAllowRootCommand())) {
 #ifndef    __EMX__
     char displaystring[MAXPATHLEN];
     sprintf(displaystring, "DISPLAY=%s",
diff -uP blackbox-0.61.1-orig/src/blackbox.cc blackbox-0.61.1/src/blackbox.cc
--- blackbox-0.61.1-orig/src/blackbox.cc        Sat Jun 24 22:56:48 2000
+++ blackbox-0.61.1/src/blackbox.cc     Fri Mar  2 18:03:58 2001
@@ -1022,6 +1022,15 @@
   sprintf(rc_string, "session.menuFile:  %s", resource.menu_file);
   XrmPutLineResource(&new_blackboxrc, rc_string);
 
+// 02/Mar/2001 reed
+  sprintf(rc_string, "allowRootCommand: %s",
+         ((resource.allow_root_command ? "True" : "False")));
+  XrmPutLineResource(&new_blackboxrc, rc_string);
+
+// 02/Mar/2001 reed
+  sprintf(rc_string, "rootCommandApp:  %s", resource.root_command_app);
+  XrmPutLineResource(&new_blackboxrc, rc_string);
+
   sprintf(rc_string, "session.colorsPerChannel:  %d",
           resource.colors_per_channel);
   XrmPutLineResource(&new_blackboxrc, rc_string);
@@ -1262,6 +1271,25 @@
     resource.menu_file = bstrdup(value.addr);
   else
     resource.menu_file = bstrdup(DEFAULTMENU);
+
+// 02/Mar/2001 reed - menu's rootCommand can be disabled
+// Allow execution of a style's possibly malicious rootCommand?
+  if (XrmGetResource(database, "allowRootCommand", "AllowRootCommand",
+                     &value_type, &value)) {
+    if (! strncasecmp("true", value.addr, value.size))
+      resource.allow_root_command = True;
+    else
+      resource.allow_root_command = False;
+  } else
+    // This is the default -- a style's rootCommand is enabled
+      resource.allow_root_command = True;
+
+// 02/Mar/2001 reed - choose the root image application
+  if (XrmGetResource(database, "rootCommandApp", "RootCommandApp",
+                    &value_type, &value))
+    resource.root_command_app = bstrdup(value.addr);
+  else
+    resource.root_command_app = bstrdup(DEFAULTROOTCOMMANDAPP);
 
   if (XrmGetResource(database, "session.colorsPerChannel",
                     "Session.ColorsPerChannel", &value_type, &value)) {
diff -uP blackbox-0.61.1-orig/src/blackbox.hh blackbox-0.61.1/src/blackbox.hh
--- blackbox-0.61.1-orig/src/blackbox.hh        Wed May 31 15:42:49 2000
+++ blackbox-0.61.1/src/blackbox.hh     Fri Mar  2 16:57:55 2001
@@ -80,6 +80,10 @@
     Time double_click_interval;
 
     char *menu_file, *style_file;
+// 02/Mar/2001 reed 
+    Bool allow_root_command;
+// 02/Mar/2001 reed 
+    char *root_command_app;
     int colors_per_channel;
     timeval auto_raise_delay;
     unsigned long cache_life, cache_max;
@@ -151,6 +155,14 @@
     { return resource.style_file; }
   inline const char *getMenuFilename(void) const
     { return resource.menu_file; }
+
+// 02/Mar/2001 reed
+  inline const Bool getAllowRootCommand(void) const
+    { return resource.allow_root_command; }
+
+// 02/Mar/2001 reed
+  inline const char *getRootCommandApp(void) const
+    { return resource.root_command_app; }
 
   inline const int &getColorsPerChannel(void) const
     { return resource.colors_per_channel; }

Reply via email to