> On June 17, 2016, 1:36 a.m., David Faure wrote: > > src/core/installation.cpp, line 379 > > <https://git.reviewboard.kde.org/r/128219/diff/1/?file=469097#file469097line379> > > > > There are of course other values for targetDirectory which would create > > problems. > > - "//" > > - "./" > > - "../etc" > > - and so on > > > > But this is a setting written by the app developer, not by the person > > uploading knewstuff data, so we can assume no malicious intention, right? > > Jeremy Whiting wrote: > Yes only application developer. Or end user if they want to tweak the > .knsrc files by hand to introduce a security vulnerability. Though if they > wanted to do that there are much easier ways to do it.
Heh, the apidocs for KNS3::DownloadDialog about knsrc files says: "StandardResource: not available in KF5, use XdgTargetDir instead." maybe we should remove all support for StandardResource=. Though some applications have StandardResource=tmp that I saw, are those all broken? or where did the text in the apidocs come from? Git blame just says it's from before the split into separate git repos. - Jeremy ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/128219/#review96621 ----------------------------------------------------------- On June 16, 2016, 7:55 p.m., Jeremy Whiting wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://git.reviewboard.kde.org/r/128219/ > ----------------------------------------------------------- > > (Updated June 16, 2016, 7:55 p.m.) > > > Review request for KDE Frameworks, David Faure and Richard Moore. > > > Repository: knewstuff > > > Description > ------- > > When an application uses TargetDir=/ or StandardResource=data give a warning > on the terminal and don't use the chosen location. > > > Diffs > ----- > > src/core/installation.cpp cbd0653 > > Diff: https://git.reviewboard.kde.org/r/128219/diff/ > > > Testing > ------- > > No testing done yet, will write a unit test of some kind if this is the right > direction. > > > Thanks, > > Jeremy Whiting > >
_______________________________________________ Kde-frameworks-devel mailing list Kde-frameworks-devel@kde.org https://mail.kde.org/mailman/listinfo/kde-frameworks-devel
