croick added a comment.
In D11236#239055 <https://phabricator.kde.org/D11236#239055>, @sitter wrote: > Maybe I am missing something here but wouldn't this allow any application to get ptrace access? > > e.g. if a malicious program watches /tmp/kcrash_*, then writes its own pid to a new socket before kcrash writes the debugger's... now the malicious program has ptrace access. That's a valid point. In the updated revision the peer PID is checked and must match the one of DrKonqi, before `prctl` is called. > I also think *printf isn't save to call in a signal handler. Not sure about atoi. `atoi` seems to be safe, `(f)printf` isn't indeed. Nevertheless it's used in the existing code already. Maybe that should be addressed in a different patch? Thank you for your remarks! REPOSITORY R285 KCrash REVISION DETAIL https://phabricator.kde.org/D11236 To: croick, #frameworks Cc: sitter, michaelh, ngraham
