D7146: Fix information leak via /tmp
Nicolas Fella
noreply at phabricator.kde.org
Sat Aug 5 11:41:16 UTC 2017
nicolasfella created this revision.
nicolasfella added a project: KDE Connect.
REVISION SUMMARY
> If I go to /tmp/kdeconnect I get to see which friends messaged me. This is wrong because this is personal data:
>
> - some people encrypt their home folder because of such privacy concerns
> - on shared systems one would get to see their each other's acquaintances
This would be an easy fix. However, we should consider different approaches. Here are my thoughts on this:
Using this revision would likely be Linux- (or Unix-) only.
QT doc says about QDir::temp():
> On Unix/Linux systems this is the path in the TMPDIR environment variable or /tmp if TMPDIR is not defined. On Windows this is usually the path in the TEMP or TMP environment variable.
This would portable, but we have no control over which directory is chosen and we don't like the default. This would give the user the choice, but I don't think many will care.
I thought about storing the icons in memory only when I worked on the notification icons the first time, but I could not make it work because the only way I managed to access the payload was through a FiletransferJob. We could delete the files right after loading them to memory, but it might be useful one day to have them on the disk.
> Every plugin has a storage directory available to it. Maybe we can use that?
@albertvaka Can you give me an example on how to access it?
What do you guys think about this?
REPOSITORY
R224 KDE Connect
REVISION DETAIL
https://phabricator.kde.org/D7146
AFFECTED FILES
plugins/notifications/notification.cpp
To: nicolasfella, #kde_connect
Cc: #kde_connect, albertvaka, tfella, aboudhar, seebauer, progwolff, MayeulC, menasshock, ach, apol, hkaelberer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kdeconnect/attachments/20170805/bb1e55c0/attachment.html>
More information about the KDEConnect
mailing list