Review Request 128219: No longer allow installing to generic data folder because of security hole.

David Faure faure at kde.org
Fri Aug 12 08:44:21 UTC 2016



> On June 17, 2016, 7:36 a.m., David Faure wrote:
> > src/core/installation.cpp, line 379
> > <https://git.reviewboard.kde.org/r/128219/diff/1/?file=469097#file469097line379>
> >
> >     There are of course other values for targetDirectory which would create problems.
> >     - "//"
> >     - "./"
> >     - "../etc"
> >     - and so on
> >     
> >     But this is a setting written by the app developer, not by the person uploading knewstuff data, so we can assume no malicious intention, right?
> 
> Jeremy Whiting wrote:
>     Yes only application developer. Or end user if they want to tweak the .knsrc files by hand to introduce a security vulnerability. Though if they wanted to do that there are much easier ways to do it.
> 
> Jeremy Whiting wrote:
>     Heh, the apidocs for KNS3::DownloadDialog about knsrc files says: "StandardResource: not available in KF5, use XdgTargetDir instead." maybe we should remove all support for StandardResource=. Though some applications have StandardResource=tmp that I saw, are those all broken? or where did the text in the apidocs come from? Git blame just says it's from before the split into separate git repos.
> 
> David Faure wrote:
>     That was me in d46bdbf, actually.
>     
>     Later on Marco restored some support for StandardResource in 3c9aace.
>     
>     I suppose there's no harm in keeping StandardResource == "tmp" or "config", for compatibility. Or "data" with a subdir...

Ping? Can you update the patch? Maybe remove support for StandardResource="data" altogether, if it's not used (from what we can see) and too dangerous to make sure it's always used right (targetDirectory="./" would reintroduce the issue).

(BTW I updated the lxr software, and now https://lxr.kde.org/search?_filestring=.knsrc&_string=StandardResource&_casesensitive=1 is much easier to read)


- David


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/128219/#review96621
-----------------------------------------------------------


On June 17, 2016, 1:55 a.m., Jeremy Whiting wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/128219/
> -----------------------------------------------------------
> 
> (Updated June 17, 2016, 1:55 a.m.)
> 
> 
> Review request for KDE Frameworks, David Faure and Richard Moore.
> 
> 
> Repository: knewstuff
> 
> 
> Description
> -------
> 
> When an application uses TargetDir=/ or StandardResource=data give a warning on the terminal and don't use the chosen location.
> 
> 
> Diffs
> -----
> 
>   src/core/installation.cpp cbd0653 
> 
> Diff: https://git.reviewboard.kde.org/r/128219/diff/
> 
> 
> Testing
> -------
> 
> No testing done yet, will write a unit test of some kind if this is the right direction.
> 
> 
> Thanks,
> 
> Jeremy Whiting
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20160812/bd9feaf2/attachment-0001.html>


More information about the Kde-frameworks-devel mailing list