[Development] How is Quick Controls 2 deployment meant to be ?

Massimo Callegari massimocallegari at yahoo.it
Sat Jul 8 20:00:23 CEST 2017



On Sat, Jul 08, 2017 at 11:24:56AM +0000, Massimo Callegari via Development wrote:

>> 2) Security ? There is none.  If you deploy an application using a TextField control with
>> echoMode: TextInput.Password, one can easily add some trivial JavaScript code to the
>> comfortably reachable QtQuick/Controls.2/TextField.qml file and somehow display/log a
>> password.  In general, an end user can seriously mess up an application by changing a few
>> text files.  I'm also wondering how Linux distributions can accept this. In my KDE Neon
>> distro I've got /usr/lib/x86_64-linux-gnu/qt5/qml/ full of QML files that I can edit and
>> compromise my system.

> I'll not argue about the others, but this here is nonsense. Anyone who can edit
> /lib normally can also edit /etc etc. 


I disagree. The nonsense, instead, is comparing configuration files with source files.
Config files are usually parsed by an application, which (hopefully) filters malicious intentions.
QML files instead, are executed by the application no matter what.
As long as "edited" QML files have a correct syntax, the QML engine executes them.

Massimo



More information about the Development mailing list