Review Request 122733: Fix path traversal checks in KPackage

Marco Martin notmart at gmail.com
Wed Mar 4 20:48:36 UTC 2015



> On March 4, 2015, 7:23 p.m., Hrvoje Senjan wrote:
> > this has broken wallpaper loading here...
> > there's loads of Attempting to read file from invalid package! file type: "metadata" file name: "" package path: "/usr/share/wallpapers/Aghi/" ...
> > warnings...
> 
> Marco Martin wrote:
>     right, now an autotest fails :/
> 
> Alex Richardson wrote:
>     I'll look into this. The "Attempting to read file from invalid package" should probably only be printed if d->fallbackFilePath() returns an empty string. But that only prints a message and doesn't change the behaviour so it can't be the reason.
>     
>     Are there any "Path traversal attempt detected:" messages?
> 
> Marco Martin wrote:
>     I tried to make it always return true but the wallpaper selection still fails.
>     can you test it with this dialog?

i see "Path traversal attempt detected:" in packagestructuretest that is the test that's failing


- Marco


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/122733/#review77011
-----------------------------------------------------------


On March 3, 2015, 5:53 p.m., Alex Richardson wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/122733/
> -----------------------------------------------------------
> 
> (Updated March 3, 2015, 5:53 p.m.)
> 
> 
> Review request for KDE Frameworks, Plasma and Marco Martin.
> 
> 
> Repository: kpackage
> 
> 
> Description
> -------
> 
> They did not canonicalize the package base directory path so it would
> always fail when the package base path contained symlinks
> 
> 
> Diffs
> -----
> 
>   src/kpackage/package.cpp eb4a09b987970e89f28587426b21d63731634087 
>   src/kpackage/private/package_p.h e451412fa02c88113aa4c7bbca2dcda3432b2b02 
> 
> Diff: https://git.reviewboard.kde.org/r/122733/diff/
> 
> 
> Testing
> -------
> 
> Files inside the package are now found although the install location contains a symlink
> 
> 
> Thanks,
> 
> Alex Richardson
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20150304/d964f7d8/attachment.html>


More information about the Kde-frameworks-devel mailing list