[prev in list] [next in list] [prev in thread] [next in thread]
List: kde-devel
Subject: Re: Please check your QProcess/KProcess invokations
From: Thiago Macieira <thiago () kde ! org>
Date: 2022-01-31 17:05:10
Message-ID: 6184029.KzLFCHuWmo () tjmaciei-mobl5
[Download RAW message or body]
On Monday, 31 January 2022 08:46:19 PST Albert Astals Cid wrote:
> QProcess has this ?undocumented? feature that when you do
> QProcess::start("bloblo") it will start bloblo from the current working
> directory (CWD) if it's there and it's not in PATH (at least on Linux)
That's a bug.
> But we have those programming mistakes in lots of places (probably not as
> easily exploitable), so I would like to ask everyone to check as many apps
> as they can when they think that they are using Q/KProcess to make sure we
> call QStandardPaths::findExecutable before QProcess.
Make sure you're not making the same mistake we are:
qprocess_unix.cpp's resolveExecutable:
if (!program.contains(QLatin1Char('/'))) {
QString exeFilePath = QStandardPaths::findExecutable(program);
if (!exeFilePath.isEmpty())
return exeFilePath;
}
return program;
The issue is handling findExecutable() not finding anything. Instead of
refusing to run, we return program; which is the name that you had passed, and
that goes straight into execve().
--
Thiago Macieira - thiago (AT) macieira.info - thiago (AT) kde.org
Software Architect - Intel DPG Cloud Engineering
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic