diff -up kdelibs-4.1.96/plasma/package.cpp.orig kdelibs-4.1.96/plasma/package.cpp
--- kdelibs-4.1.96/plasma/package.cpp.orig	2009-01-06 18:27:56.000000000 +0100
+++ kdelibs-4.1.96/plasma/package.cpp	2009-01-16 14:42:39.000000000 +0100
@@ -139,6 +139,10 @@ QString Package::filePath(const char *fi
     }
 
     if (QFile::exists(path)) {
+        if (d->structure->allowExternalPaths()) {
+            return path;
+        }
+
         // ensure that we don't return files outside of our base path
         // due to symlink or ../ games
         QDir dir(path);
@@ -171,6 +175,10 @@ QStringList Package::entryList(const cha
     QDir dir(d->basePath + d->structure->contentsPrefix() + path);
 
     if (dir.exists()) {
+        if (d->structure->allowExternalPaths()) {
+            return dir.entryList(QDir::Files | QDir::Readable);
+        }
+
         // ensure that we don't return files outside of our base path
         // due to symlink or ../ games
         QString canonicalized = dir.canonicalPath();
diff -up kdelibs-4.1.96/plasma/packagestructure.cpp.orig kdelibs-4.1.96/plasma/packagestructure.cpp
--- kdelibs-4.1.96/plasma/packagestructure.cpp.orig	2009-01-16 14:41:56.000000000 +0100
+++ kdelibs-4.1.96/plasma/packagestructure.cpp	2009-01-16 14:42:39.000000000 +0100
@@ -58,17 +58,19 @@ class ContentStructure
         QString path;
         QString name;
         QStringList mimetypes;
-        bool directory;
-        bool required;
+        bool directory : 1;
+        bool required : 1;
 };
 
 class PackageStructurePrivate
 {
 public:
     PackageStructurePrivate()
-        : metadata(0)
+        : metadata(0),
+          externalPaths(false)
     {
     }
+
     ~PackageStructurePrivate()
     {
         delete metadata;
@@ -76,6 +78,8 @@ public:
 
     void createPackageMetadata(const QString &path);
 
+    static QHash<QString, PackageStructure::Ptr> structures;
+
     QString type;
     QString path;
     QString contentsPrefix;
@@ -83,8 +87,8 @@ public:
     QString servicePrefix;
     QMap<QByteArray, ContentStructure> contents;
     QStringList mimetypes;
-    static QHash<QString, PackageStructure::Ptr> structures;
     PackageMetadata *metadata;
+    bool externalPaths;
  };
 
 QHash<QString, PackageStructure::Ptr> PackageStructurePrivate::structures;
@@ -487,6 +491,16 @@ PackageMetadata PackageStructure::metada
     return *d->metadata;
 }
 
+bool PackageStructure::allowExternalPaths() const
+{
+    return d->externalPaths;
+}
+
+void PackageStructure::setAllowExternalPaths(bool allow)
+{
+    d->externalPaths = allow;
+}
+
 } // Plasma namespace
 
 #include "packagestructure.moc"
diff -up kdelibs-4.1.96/plasma/packagestructure.h.orig kdelibs-4.1.96/plasma/packagestructure.h
--- kdelibs-4.1.96/plasma/packagestructure.h.orig	2009-01-16 14:19:12.000000000 +0100
+++ kdelibs-4.1.96/plasma/packagestructure.h	2009-01-16 14:42:39.000000000 +0100
@@ -278,6 +278,12 @@ public:
       */
     virtual PackageMetadata metadata();
 
+    /**
+     * @return true if paths/symlinks outside the package itself should be followed.
+     * By default this is set to false for security reasons.
+     */
+    bool allowExternalPaths() const;
+
 Q_SIGNALS:
     /**
      * Emitted when the new widget browser process completes.
@@ -286,6 +292,13 @@ Q_SIGNALS:
 
 protected:
     /**
+     * Sets whether or not external paths/symlinks can be followed by a package
+     * @arg allow true if paths/symlinks outside of the package should be followed,
+     *             false if they should be rejected.
+     */
+    void setAllowExternalPaths(bool allow);
+
+    /**
      * Sets the prefix that all the contents in this package should
      * appear under. This defaults to "contents/" and is added automatically
      * between the base path and the entries as defined by the package