[Development] How is Quick Controls 2 deployment meant to be ?
André Pönitz
apoenitz at t-online.de
Sat Jul 8 19:24:46 CEST 2017
On Sat, Jul 08, 2017 at 06:00:23PM +0000, Massimo Callegari wrote:
>
>
> On Sat, Jul 08, 2017 at 11:24:56AM +0000, Massimo Callegari via Development wrote:
>
> >> 2) Security ? There is none. If you deploy an application using a TextField control with
> >> echoMode: TextInput.Password, one can easily add some trivial JavaScript code to the
> >> comfortably reachable QtQuick/Controls.2/TextField.qml file and somehow display/log a
> >> password. In general, an end user can seriously mess up an application by changing a few
> >> text files. I'm also wondering how Linux distributions can accept this. In my KDE Neon
> >> distro I've got /usr/lib/x86_64-linux-gnu/qt5/qml/ full of QML files that I can edit and
> >> compromise my system.
>
> > I'll not argue about the others, but this here is nonsense. Anyone who can edit
> > /lib normally can also edit /etc etc.
>
>
> I disagree. The nonsense, instead, is comparing configuration files with source files.
> Config files are usually parsed by an application, which (hopefully) filters malicious intentions.
Like a text editor that is used to edit /etc/passwd or /etc/group will
"filter" malicious intentions when saving the file?
> QML files instead, are executed by the application no matter what.
> As long as "edited" QML files have a correct syntax, the QML engine executes them.
And if I 'edit' /bin/ls to do the equivalent of 'rm -rf /' it will happily
do that.
The fact that something is a 'text' file does not make it different,
permissions make a difference.
Andre'
More information about the Development
mailing list