[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-devel
Subject:    Re: Please check your QProcess/KProcess invokations
From:       Thiago Macieira <thiago () kde ! org>
Date:       2022-01-31 17:05:10
Message-ID: 6184029.KzLFCHuWmo () tjmaciei-mobl5
[Download RAW message or body]

On Monday, 31 January 2022 08:46:19 PST Albert Astals Cid wrote:
> QProcess has this ?undocumented? feature that when you do
> QProcess::start("bloblo") it will start bloblo from the current working
> directory (CWD) if it's there and it's not in PATH (at least on Linux)

That's a bug.

> But we have those programming mistakes in lots of places (probably not as
> easily exploitable), so I would like to ask everyone to check as many apps
> as they can when they think that they are using Q/KProcess to make sure we
> call QStandardPaths::findExecutable before QProcess.

Make sure you're not making the same mistake we are:

qprocess_unix.cpp's resolveExecutable:

    if (!program.contains(QLatin1Char('/'))) {
        QString exeFilePath = QStandardPaths::findExecutable(program);
        if (!exeFilePath.isEmpty())
            return exeFilePath;
    }
    return program;

The issue is handling findExecutable() not finding anything. Instead of 
refusing to run, we return program; which is the name that you had passed, and 
that goes straight into execve().

-- 
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
   Software Architect - Intel DPG Cloud Engineering



[prev in list] [next in list] [prev in thread] [next in thread]