[Kde-pim] Fwd: Re: KDE 4.4.98 (4.4 RC3)
Eike Hein
hein at kde.org
Sun Feb 7 03:31:56 GMT 2010
Let me re-summarize the situation for clarity: Right
now you have to be careful about what's inside the
QString you pass to KNotification, because if it con-
tains characters in a certain Unicode character range
your application will crash as a result due to D-Bus
closing the connection.
This is problematic because there are many applica-
tions (chat/messenger apps, some Plasmoids, maybe
PIM) that pass network-originated data to KNotifi-
cation without removing characters in that range
first, since the use of D-Bus is an implementation
detail irrelevant to the KNotification API, and
since this D-Bus behavior is not widely known. In
general, KNotification is among the most prevalent
ways a KDE application will move its data through
D-Bus.
The underlying problem is not specific to KNotifi-
cation and should be addressed either in Qt or in
D-Bus, since it's unrealistic to expect all use of
D-Bus on the application code or even above-Qt lib-
rary level to be augmented to screen for these
characters.
However, since KNotification is a known and broad
attack vector, any such change will not make it into
Qt 4.6.2 (according to Thiago) and the discussion on
whether to change D-Bus has only just begun on the
D-Bus mailing list, and we're about to release KDE
4.4.0, we have the opportunity to release it with a
preemptive workaround that addresses the issue as it
pertains to KNotification.
--
Best regards,
Eike Hein
More information about the kde-core-devel
mailing list