QProcess has this ?undocumented? feature that when you do
QProcess::start("bloblo") it will start bloblo from the current working
directory (CWD) if it's there and it's not in PATH (at least on Linux)
To me this is rather surprising and it seems it's the same for everyone since
everyone I mention this, is surprised.
Unfortunately this has lead to a relatively nasty issue in ktexteditor/kate has
published today in https://kde.org/info/security/advisory-20220131-1.txt
But we have those programming mistakes in lots of places (probably not as
easily exploitable), so I would like to ask everyone to check as many apps as
they can when they think that they are using Q/KProcess to make sure we call
QStandardPaths::findExecutable before QProcess.
Some examples
https://invent.kde.org/sdk/lokalize/-/merge_requests/16/diffs
https://invent.kde.org/graphics/okular/-/merge_requests/550
Cheers,
Albert
P.S: If you don't believe it, here's a test app
bloblo.pro https://ghostbin.com/GLUZJ
main.cpp https://ghostbin.com/qB3Sx
