[kde] [Bug 487152] New: GUI polkit authentication doesn't show long commands

[bugzilla_noreply at kde.org]

https://bugs.kde.org/show_bug.cgi?id=487152

            Bug ID: 487152
           Summary: GUI polkit authentication doesn't show long commands
    Classification: I don't know
           Product: kde
           Version: unspecified
          Platform: Arch Linux
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: unassigned-bugs at kde.org
          Reporter: knyffen at gmail.com
  Target Milestone: ---

Created attachment 169570
  --> https://bugs.kde.org/attachment.cgi?id=169570&action=edit
SteamVR running a command that was cut off

SUMMARY
GUI polkit authentication doesn't show long commands.

STEPS TO REPRODUCE
1. Run `pkexec echo 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa something malicious
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'`

OBSERVED RESULT
The authentication dialog only shows the beginning and end of the command. That
is "aaaaaaaaa... aaaaaaaa".

EXPECTED RESULT
The entire command which you give root access is shown (possibly hidden under
"details"), such that you can check if it is malicious.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Arch Linux
KDE Plasma Version: 6.0.4
KDE Frameworks Version: 6.1.0
Qt Version: 6.7.0

ADDITIONAL INFORMATION
I don't know if it is even possible to hide something malicious in the middle
of a command, but it could potentially be an issue. As for any "real" examples
of this issue, I've attached a screenshot of the command run when I updated
SteamVR, which got cropped due to being too long.

-- 
You are receiving this mail because:
You are the assignee for the bug.