> On June 17, 2016, 7:36 a.m., David Faure wrote: > > src/core/installation.cpp, line 379 > > <https://git.reviewboard.kde.org/r/128219/diff/1/?file=469097#file469097line379> > > > > There are of course other values for targetDirectory which would create > > problems. > > - "//" > > - "./" > > - "../etc" > > - and so on > > > > But this is a setting written by the app developer, not by the person > > uploading knewstuff data, so we can assume no malicious intention, right? > > Jeremy Whiting wrote: > Yes only application developer. Or end user if they want to tweak the > .knsrc files by hand to introduce a security vulnerability. Though if they > wanted to do that there are much easier ways to do it. > > Jeremy Whiting wrote: > Heh, the apidocs for KNS3::DownloadDialog about knsrc files says: > "StandardResource: not available in KF5, use XdgTargetDir instead." maybe we > should remove all support for StandardResource=. Though some applications > have StandardResource=tmp that I saw, are those all broken? or where did the > text in the apidocs come from? Git blame just says it's from before the split > into separate git repos. > > David Faure wrote: > That was me in d46bdbf, actually. > > Later on Marco restored some support for StandardResource in 3c9aace. > > I suppose there's no harm in keeping StandardResource == "tmp" or > "config", for compatibility. Or "data" with a subdir...
Ping? Can you update the patch? Maybe remove support for StandardResource="data" altogether, if it's not used (from what we can see) and too dangerous to make sure it's always used right (targetDirectory="./" would reintroduce the issue). (BTW I updated the lxr software, and now https://lxr.kde.org/search?_filestring=.knsrc&_string=StandardResource&_casesensitive=1 is much easier to read) - David ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://git.reviewboard.kde.org/r/128219/#review96621 ----------------------------------------------------------- On June 17, 2016, 1:55 a.m., Jeremy Whiting wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://git.reviewboard.kde.org/r/128219/ > ----------------------------------------------------------- > > (Updated June 17, 2016, 1:55 a.m.) > > > Review request for KDE Frameworks, David Faure and Richard Moore. > > > Repository: knewstuff > > > Description > ------- > > When an application uses TargetDir=/ or StandardResource=data give a warning > on the terminal and don't use the chosen location. > > > Diffs > ----- > > src/core/installation.cpp cbd0653 > > Diff: https://git.reviewboard.kde.org/r/128219/diff/ > > > Testing > ------- > > No testing done yet, will write a unit test of some kind if this is the right > direction. > > > Thanks, > > Jeremy Whiting > >
