D5394: KAuth integration in document saving - vol. 2
Fabian Vogt
noreply at phabricator.kde.org
Tue Apr 11 08:35:11 UTC 2017
fvogt requested changes to this revision.
fvogt added a comment.
This revision now requires changes to proceed.
In https://phabricator.kde.org/D5394#101291, @aacid wrote:
> In https://phabricator.kde.org/D5394#101275, @fvogt wrote:
>
> > what are the permissions of the temporary file that QSaveFile creates?
>
>
> If the file exists it re-uses the existing permissions, otherwise it uses 666
> https://github.com/qt/qtbase/blob/dev/src/corelib/io/qsavefile.cpp#L235
Who thought that was a good idea? This allows literally *anyone* to change any file being edited (if the process does not have a umask such as 022)
Although that means upstream Qt is currently unusuable, I'd suggest to use QTemporaryFile as a workaround as substitution for QSaveFile at least in this instance or assign a umask to the process (if Qt does not override this)
While ktexteditor uses QSaveFile in other places as well, those are not as critical as this issue, so fixing that in Qt directly is IMO the best approach.
REPOSITORY
R39 KTextEditor
REVISION DETAIL
https://phabricator.kde.org/D5394
To: martinkostolny, #ktexteditor, fvogt
Cc: elvisangelaccio, aacid, ivan, lbeltrame, fvogt, apol, anthonyfieroni, cullmann, ltoscano, dhaumann, graesslin, davidedmundson, palant, kwrite-devel, dfaure, #frameworks, head7, kfunk, sars
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20170411/7eea8583/attachment.html>
More information about the Kde-frameworks-devel
mailing list