Review Request 128219: No longer allow installing to generic data folder because of security hole.

David Faure faure at kde.org
Fri Jun 17 07:36:33 UTC 2016


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://git.reviewboard.kde.org/r/128219/#review96621
-----------------------------------------------------------




src/core/installation.cpp (line 365)
<https://git.reviewboard.kde.org/r/128219/#comment65283>

    Should this code get support for "appdata" then?
     (typically share/kmyapp)
     
    Otherwise I don't see where application data would get installed anymore.
    
    Am I right that there must be lots of apps using "data" right now, for lack of "appdata" support?
    Surely not every app using knewstuff, is using it for "tmp" or "config" files....



src/core/installation.cpp (line 366)
<https://git.reviewboard.kde.org/r/128219/#comment65281>

    API misuse is normally rewarded with a q[C]Warning rather than a q[C]Debug.
    
    The message should also mention what to use instead (depending on the result of the discussion in the previous comment).



src/core/installation.cpp (line 379)
<https://git.reviewboard.kde.org/r/128219/#comment65282>

    There are of course other values for targetDirectory which would create problems.
    - "//"
    - "./"
    - "../etc"
    - and so on
    
    But this is a setting written by the app developer, not by the person uploading knewstuff data, so we can assume no malicious intention, right?


- David Faure


On June 17, 2016, 1:55 a.m., Jeremy Whiting wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://git.reviewboard.kde.org/r/128219/
> -----------------------------------------------------------
> 
> (Updated June 17, 2016, 1:55 a.m.)
> 
> 
> Review request for KDE Frameworks, David Faure and Richard Moore.
> 
> 
> Repository: knewstuff
> 
> 
> Description
> -------
> 
> When an application uses TargetDir=/ or StandardResource=data give a warning on the terminal and don't use the chosen location.
> 
> 
> Diffs
> -----
> 
>   src/core/installation.cpp cbd0653 
> 
> Diff: https://git.reviewboard.kde.org/r/128219/diff/
> 
> 
> Testing
> -------
> 
> No testing done yet, will write a unit test of some kind if this is the right direction.
> 
> 
> Thanks,
> 
> Jeremy Whiting
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20160617/23237058/attachment-0001.html>


More information about the Kde-frameworks-devel mailing list