D15180: kioexecd: watch for creations or modifications of the temporary files
Elvis Angelaccio
noreply at phabricator.kde.org
Tue Sep 4 20:58:47 BST 2018
elvisangelaccio requested changes to this revision.
elvisangelaccio added inline comments.
This revision now requires changes to proceed.
INLINE COMMENTS
> kioexecd.cpp:65
> qCDebug(KIOEXEC) << "About to delete" << parentDir << "containing" << info.fileName();
> - QFile::remove(it.key());
> - QDir().rmdir(parentDir);
> + QDir(parentDir).removeRecursively();
> }
The problem with using `QDir::removeRecursively()` is that the folder we are going to delete recursively is an input from dbus. What happens if some malicious software calls `watch("~/dummy.txt")` ?
At the very least we need to check whether this folder starts with `QStandardPaths::writableLocation(QStandardPaths::CacheLocation) + QStringLiteral("/krun")` (the path used by `kioexec`).
REPOSITORY
R241 KIO
REVISION DETAIL
https://phabricator.kde.org/D15180
To: jtamate, #frameworks, broulik, ngraham, dfaure, elvisangelaccio
Cc: anthonyfieroni, elvisangelaccio, kde-frameworks-devel, michaelh, ngraham, bruns
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-frameworks-devel/attachments/20180904/63fd6e06/attachment.html>
More information about the Kde-frameworks-devel
mailing list