On Monday, 31 January 2022 08:46:19 PST Albert Astals Cid wrote:
> QProcess has this ?undocumented? feature that when you do
> QProcess::start("bloblo") it will start bloblo from the current working
> directory (CWD) if it's there and it's not in PATH (at least on Linux)
That's a bug.
> But we have those programming mistakes in lots of places (probably not as
> easily exploitable), so I would like to ask everyone to check as many apps
> as they can when they think that they are using Q/KProcess to make sure we
> call QStandardPaths::findExecutable before QProcess.
Make sure you're not making the same mistake we are:
qprocess_unix.cpp's resolveExecutable:
if (!program.contains(QLatin1Char('/'))) {
QString exeFilePath = QStandardPaths::findExecutable(program);
if (!exeFilePath.isEmpty())
return exeFilePath;
}
return program;
The issue is handling findExecutable() not finding anything. Instead of
refusing to run, we return program; which is the name that you had passed, and
that goes straight into execve().
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Software Architect - Intel DPG Cloud Engineering
