Review Request 128219: No longer allow installing to generic data folder because of security hole.
David Faure
faure at kde.org
Fri Aug 12 08:44:21 UTC 2016
> On June 17, 2016, 7:36 a.m., David Faure wrote:
> > src/core/installation.cpp, line 379
> > <https://git.reviewboard.kde.org/r/128219/diff/1/?file=469097#file469097line379>
> >
> > There are of course other values for targetDirectory which would create problems.
> > - "//"
> > - "./"
> > - "../etc"
> > - and so on
> >
> > But this is a setting written by the app developer, not by the person uploading knewstuff data, so we can assume no malicious intention, right?
>
> Jeremy Whiting wrote:
> Yes only application developer. Or end user if they want to tweak the .knsrc files by hand to introduce a security vulnerability. Though if they wanted to do that there are much easier ways to do it.
>
> Jeremy Whiting wrote:
> Heh, the apidocs for KNS3::DownloadDialog about knsrc files says: "StandardResource: not available in KF5, use XdgTargetDir instead." maybe we should remove all support for StandardResource=. Though some applications have StandardResource=tmp that I saw, are those all broken? or where did the text in the apidocs come from? Git blame just says it's from before the split into separate git repos.
>
> David Faure wrote:
> That was me in d46bdbf, actually.
>
> Later on Marco restored some support for StandardResource in 3c9aace.
>
> I suppose there's no harm in keeping StandardResource == "tmp" or "config", for compatibility. Or "data" with a subdir...
Ping? Can you update the patch? Maybe remove support for StandardResource="data" altogether, if it's not used (from what we can see) and too dangerous to make sure it's always used right (targetDirectory="./" would reintroduce the issue).
(BTW I updated the lxr software, and now https://lxr.kde.org/search?_filestring=.knsrc&_string=StandardResource&_casesensitive=1 is much easier to read)
- David
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/128219/#review96621
-----------------------------------------------------------
On June 17, 2016, 1:55 a.m., Jeremy Whiting wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/128219/
> -----------------------------------------------------------
>
> (Updated June 17, 2016, 1:55 a.m.)
>
>
> Review request for KDE Frameworks, David Faure and Richard Moore.
>
>
> Repository: knewstuff
>
>
> Description
> -------
>
> When an application uses TargetDir=/ or StandardResource=data give a warning on the terminal and don't use the chosen location.
>
>
> Diffs
> -----
>
> src/core/installation.cpp cbd0653
>
> Diff: https://git.reviewboard.kde.org/r/128219/diff/
>
>
> Testing
> -------
>
> No testing done yet, will write a unit test of some kind if this is the right direction.
>
>
> Thanks,
>
> Jeremy Whiting
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20160812/bd9feaf2/attachment-0001.html>
More information about the Kde-frameworks-devel
mailing list