Review Request 122733: Fix path traversal checks in KPackage
Marco Martin
notmart at gmail.com
Wed Mar 4 20:48:36 UTC 2015
> On March 4, 2015, 7:23 p.m., Hrvoje Senjan wrote:
> > this has broken wallpaper loading here...
> > there's loads of Attempting to read file from invalid package! file type: "metadata" file name: "" package path: "/usr/share/wallpapers/Aghi/" ...
> > warnings...
>
> Marco Martin wrote:
> right, now an autotest fails :/
>
> Alex Richardson wrote:
> I'll look into this. The "Attempting to read file from invalid package" should probably only be printed if d->fallbackFilePath() returns an empty string. But that only prints a message and doesn't change the behaviour so it can't be the reason.
>
> Are there any "Path traversal attempt detected:" messages?
>
> Marco Martin wrote:
> I tried to make it always return true but the wallpaper selection still fails.
> can you test it with this dialog?
i see "Path traversal attempt detected:" in packagestructuretest that is the test that's failing
- Marco
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/122733/#review77011
-----------------------------------------------------------
On March 3, 2015, 5:53 p.m., Alex Richardson wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/122733/
> -----------------------------------------------------------
>
> (Updated March 3, 2015, 5:53 p.m.)
>
>
> Review request for KDE Frameworks, Plasma and Marco Martin.
>
>
> Repository: kpackage
>
>
> Description
> -------
>
> They did not canonicalize the package base directory path so it would
> always fail when the package base path contained symlinks
>
>
> Diffs
> -----
>
> src/kpackage/package.cpp eb4a09b987970e89f28587426b21d63731634087
> src/kpackage/private/package_p.h e451412fa02c88113aa4c7bbca2dcda3432b2b02
>
> Diff: https://git.reviewboard.kde.org/r/122733/diff/
>
>
> Testing
> -------
>
> Files inside the package are now found although the install location contains a symlink
>
>
> Thanks,
>
> Alex Richardson
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20150304/d964f7d8/attachment.html>
More information about the Kde-frameworks-devel
mailing list