elvisangelaccio requested changes to this revision.
elvisangelaccio added inline comments.
This revision now requires changes to proceed.
INLINE COMMENTS
> kioexecd.cpp:65
> qCDebug(KIOEXEC) << "About to delete" << parentDir << "containing"
> << info.fileName();
> - QFile::remove(it.key());
> - QDir().rmdir(parentDir);
> + QDir(parentDir).removeRecursively();
> }
The problem with using `QDir::removeRecursively()` is that the folder we are
going to delete recursively is an input from dbus. What happens if some
malicious software calls `watch("~/dummy.txt")` ?
At the very least we need to check whether this folder starts with
`QStandardPaths::writableLocation(QStandardPaths::CacheLocation) +
QStringLiteral("/krun")` (the path used by `kioexec`).
REPOSITORY
R241 KIO
REVISION DETAIL
https://phabricator.kde.org/D15180
To: jtamate, #frameworks, broulik, ngraham, dfaure, elvisangelaccio
Cc: anthonyfieroni, elvisangelaccio, kde-frameworks-devel, michaelh, ngraham,
bruns
