Review Request 128219: No longer allow installing to generic data folder because of security hole.

David Faure faure at kde.org
Fri Jul 1 07:40:27 UTC 2016



> On June 17, 2016, 7:36 a.m., David Faure wrote:
> > src/core/installation.cpp, line 379
> > <https://git.reviewboard.kde.org/r/128219/diff/1/?file=469097#file469097line379>
> >
> >     There are of course other values for targetDirectory which would create problems.
> >     - "//"
> >     - "./"
> >     - "../etc"
> >     - and so on
> >     
> >     But this is a setting written by the app developer, not by the person uploading knewstuff data, so we can assume no malicious intention, right?
> 
> Jeremy Whiting wrote:
>     Yes only application developer. Or end user if they want to tweak the .knsrc files by hand to introduce a security vulnerability. Though if they wanted to do that there are much easier ways to do it.
> 
> Jeremy Whiting wrote:
>     Heh, the apidocs for KNS3::DownloadDialog about knsrc files says: "StandardResource: not available in KF5, use XdgTargetDir instead." maybe we should remove all support for StandardResource=. Though some applications have StandardResource=tmp that I saw, are those all broken? or where did the text in the apidocs come from? Git blame just says it's from before the split into separate git repos.

That was me in d46bdbf, actually.

Later on Marco restored some support for StandardResource in 3c9aace.

I suppose there's no harm in keeping StandardResource == "tmp" or "config", for compatibility. Or "data" with a subdir...


- David


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/128219/#review96621
-----------------------------------------------------------


On June 17, 2016, 1:55 a.m., Jeremy Whiting wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/128219/
> -----------------------------------------------------------
> 
> (Updated June 17, 2016, 1:55 a.m.)
> 
> 
> Review request for KDE Frameworks, David Faure and Richard Moore.
> 
> 
> Repository: knewstuff
> 
> 
> Description
> -------
> 
> When an application uses TargetDir=/ or StandardResource=data give a warning on the terminal and don't use the chosen location.
> 
> 
> Diffs
> -----
> 
>   src/core/installation.cpp cbd0653 
> 
> Diff: https://git.reviewboard.kde.org/r/128219/diff/
> 
> 
> Testing
> -------
> 
> No testing done yet, will write a unit test of some kind if this is the right direction.
> 
> 
> Thanks,
> 
> Jeremy Whiting
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20160701/dc1521f5/attachment.html>


More information about the Kde-frameworks-devel mailing list