<table><tr><td style="">fvogt requested changes to this revision.<br />fvogt added a comment.<br />This revision now requires changes to proceed.
</td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px 8px; float: right; color: #464C5C; font-weight: bold; border-radius: 3px; background-color: #F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); display: inline-block; border: 1px solid rgba(71,87,120,.2);" href="https://phabricator.kde.org/D5394" rel="noreferrer">View Revision</a></tr></table><br /><div><div><p>Thanks!</p>

<p>So far I only found two issues (see comments).<br />
Apart from that it would be great to see the application name and the target/source file in the polkit dialog, but I assume this is out of scope here.</p></div></div><br /><div><strong>INLINE COMMENTS</strong><div><div style="margin: 6px 0 12px 0;"><div style="border: 1px solid #C7CCD9; border-radius: 3px;"><div style="padding: 0; background: #F7F7F7; border-color: #e3e4e8; border-style: solid; border-width: 0 0 1px 0; margin: 0;"><div style="color: #74777d; background: #eff2f4; padding: 6px 8px; overflow: hidden;"><a style="float: right; text-decoration: none;" href="https://phabricator.kde.org/D5394#inline-22435" rel="noreferrer">View Inline</a><span style="color: #4b4d51; font-weight: bold;">katesecuretextbuffer.cpp:88</span></div>
<div style="font: 11px/15px "Menlo", "Consolas", "Monaco", monospace; white-space: pre-wrap; clear: both; padding: 4px 0; margin: 0;"><div style="padding: 0 8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span class="bright"></span><span style="color: #aa4000"><span class="bright">if</span></span><span class="bright"> </span><span class="p"><span class="bright">(</span></span><span class="bright"></span><span style="color: #aa2211"><span class="bright">!</span></span><span class="bright"></span><span class="n"><span class="bright">tempFile</span></span><span class="bright"></span><span class="p"><span class="bright">.</span></span><span class="bright"></span><span class="n"><span class="bright">open</span></span><span class="bright"></span><span class="p"><span class="bright">())</span></span><span class="bright"> </span><span class="p"><span class="bright">{</span></span>
</div><div style="padding: 0 8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">        <span class="bright"></span><span style="color: #aa4000"><span class="bright">return</span></span><span class="bright"> </span><span class="n"><span class="bright">QString</span></span><span class="bright"></span><span class="p"><span class="bright">(</span>);</span>
</div><div style="padding: 0 8px; margin: 0 4px; background: rgba(151, 234, 151, .6);">    <span class="bright">    </span><span style="color: #74777d"><span class="bright">// ensure file has the same owner and group as before</span></span>
</div><div style="padding: 0 8px; margin: 0 4px; background: rgba(151, 234, 151, .6);">        <span class="bright"></span><span class="n"><span class="bright">setOwner</span></span><span class="bright"></span><span class="p"><span class="bright">(</span></span><span class="bright"></span><span class="n"><span class="bright">tempFile</span></span><span class="bright"></span><span class="p"><span class="bright">.</span></span><span class="bright"></span><span class="n"><span class="bright">fileName</span></span><span class="bright"></span><span class="p"><span class="bright">(),</span></span><span class="bright"> </span><span class="n"><span class="bright">ownerId</span></span><span class="bright"></span><span class="p"><span class="bright">,</span></span><span class="bright"> </span><span class="n"><span class="bright">groupId</span></span><span class="p">);</span>
</div><div style="padding: 0 8px; margin: 0 4px; ">    <span class="p">}</span>
</div></div></div>
<div style="margin: 8px 0; padding: 0 12px;"><p style="padding: 0; margin: 8px;">This is racy: If the newly set permissions allow someone to delete the file, it can be replaced with a symlink and the chown will take effect on the symlink target, which can be literally anything -> escalation.</p>

<p style="padding: 0; margin: 8px;">This is not an issue for the rename call as if the file permissions allow deleting, they allow deleting for the destination file as well -> no escalation.</p>

<p style="padding: 0; margin: 8px;">Solution: Use fchown.</p></div></div><br /><div style="border: 1px solid #C7CCD9; border-radius: 3px;"><div style="padding: 0; background: #F7F7F7; border-color: #e3e4e8; border-style: solid; border-width: 0 0 1px 0; margin: 0;"><div style="color: #74777d; background: #eff2f4; padding: 6px 8px; overflow: hidden;"><a style="float: right; text-decoration: none;" href="https://phabricator.kde.org/D5394#inline-22436" rel="noreferrer">View Inline</a><span style="color: #4b4d51; font-weight: bold;">katesecuretextbuffer.cpp:92</span></div>
<div style="font: 11px/15px "Menlo", "Consolas", "Monaco", monospace; white-space: pre-wrap; clear: both; padding: 4px 0; margin: 0;"><div style="padding: 0 8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span class="bright"></span><span class="n"><span class="bright">setOwner</span></span><span class="bright"></span><span class="p"><span class="bright">(</span></span><span class="n">temp<span class="bright">File</span></span><span class="bright"></span><span class="p"><span class="bright">.</span></span><span class="n">file<span class="bright">Name</span></span><span class="bright"></span><span class="p"><span class="bright">(),</span></span><span class="bright"> </span><span class="n"><span class="bright">ownerId</span></span><span class="bright"></span><span class="p"><span class="bright">,</span></span><span class="bright"> </span><span style="color: #aa2211"><span class="bright">-</span></span><span class="bright"></span><span style="color: #601200"><span class="bright">1</span></span><span class="bright"></span><span class="p"><span class="bright">);</span></span>
</div><div style="padding: 0 8px; margin: 0 4px; background: rgba(251, 175, 175, .7);">    <span style="color: #aa4000">return</span> <span class="n">tempFile</span><span class="p">.</span><span class="n">fileName</span><span class="p">();</span>
</div><div style="padding: 0 8px; margin: 0 4px; background: rgba(151, 234, 151, .6);">    <span class="bright"></span><span style="color: #74777d"><span class="bright">// rename </span>temp<span class="bright">orary </span>file<span class="bright"> to the target file</span></span>
</div><div style="padding: 0 8px; margin: 0 4px; background: rgba(151, 234, 151, .6);">    <span style="color: #aa4000">return</span> <span class="bright"></span><span class="n"><span class="bright">moveFile</span></span><span class="bright"></span><span class="p"><span class="bright">(</span></span><span class="n">tempFile</span><span class="p">.</span><span class="n">fileName</span><span class="p">(<span class="bright">),</span></span><span class="bright"> </span><span class="n"><span class="bright">targetFile</span></span><span class="p">);</span>
</div><div style="padding: 0 8px; margin: 0 4px; "><span class="p">}</span>
</div></div></div>
<div style="margin: 8px 0; padding: 0 12px;"><p style="padding: 0; margin: 8px;">The destructor of QTemporaryFile here tries to unlink the temporary file here, which fails if the rename was successful.</p></div></div></div></div></div><br /><div><strong>REPOSITORY</strong><div><div>R39 KTextEditor</div></div></div><br /><div><strong>REVISION DETAIL</strong><div><a href="https://phabricator.kde.org/D5394" rel="noreferrer">https://phabricator.kde.org/D5394</a></div></div><br /><div><strong>To: </strong>martinkostolny, KTextEditor, fvogt<br /><strong>Cc: </strong>elvisangelaccio, aacid, ivan, lbeltrame, fvogt, apol, anthonyfieroni, cullmann, ltoscano, dhaumann, graesslin, davidedmundson, palant, kwrite-devel, dfaure, Frameworks, head7, kfunk, sars<br /></div>