Review Request 123724: Use QTemporaryFile instead of hardcoding /tmp.

Frank Reininghaus frank78ac at googlemail.com
Tue May 12 17:36:59 UTC 2015 


> On Mai 12, 2015, 3:49 nachm., Jan Kundrát wrote:
> > Was the old code a part of some release? If yes, this should get a CVE security announcement because it allows a local attacker to e.g. force you to overwirte some of your user's files.
> 
> Michael Palimaka wrote:
>     It looks like it was introduced in 999e774b3ce117598df2029364bd10f4347be81c and released in 0.2.0 and later.

Could you elaborate on how such an attack would work? Even if we ignore that the code in question is part of an autotest which is probably never installed anywhere, such that systems of packagers, developers and users who build from source are the only possible targets, I really don't see how an attacker could use the code to cause any unintended damage. Anyone who runs the test regularly creates and deletes the file /tmp/kpeople_test_db already, so what other damage could a local attacker cause?


- Frank


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/123724/#review80247
-----------------------------------------------------------


On Mai 12, 2015, 12:49 nachm., Michael Palimaka wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/123724/
> -----------------------------------------------------------
> 
> (Updated Mai 12, 2015, 12:49 nachm.)
> 
> 
> Review request for KDE Frameworks and KDEPIM.
> 
> 
> Repository: kpeople
> 
> 
> Description
> -------
> 
> Hardcoding files like this seems like a bad idea.
> 
> 
> Diffs
> -----
> 
>   autotests/persondatatests.h 30eeeb5cd647c713f1b438543a54516ced9f3ede 
>   autotests/persondatatests.cpp 73098d3717509ad80761bbd02000b4ce5060bbb2 
>   autotests/personsmodeltest.h 5b8879521f334459c4f73c2708b3368c543e40a3 
>   autotests/personsmodeltest.cpp b19d1baf8a2c2e617d4b6128df29fbab3b8e61a7 
> 
> Diff: https://git.reviewboard.kde.org/r/123724/diff/
> 
> 
> Testing
> -------
> 
> Tests still pass.
> 
> 
> Thanks,
> 
> Michael Palimaka
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20150512/12fe40a6/attachment-0001.html>

More information about the Kde-frameworks-devel mailing list