[Development] How is Quick Controls 2 deployment meant to be ?

Konstantin Tokarev annulen at yandex.ru
Sat Jul 8 20:37:05 CEST 2017



08.07.2017, 21:01, "Massimo Callegari via Development" <development at qt-project.org>:
> On Sat, Jul 08, 2017 at 11:24:56AM +0000, Massimo Callegari via Development wrote:
>
>>>  2) Security ? There is none. If you deploy an application using a TextField control with
>>>  echoMode: TextInput.Password, one can easily add some trivial JavaScript code to the
>>>  comfortably reachable QtQuick/Controls.2/TextField.qml file and somehow display/log a
>>>  password. In general, an end user can seriously mess up an application by changing a few
>>>  text files. I'm also wondering how Linux distributions can accept this. In my KDE Neon
>>>  distro I've got /usr/lib/x86_64-linux-gnu/qt5/qml/ full of QML files that I can edit and
>>>  compromise my system.
>
>>  I'll not argue about the others, but this here is nonsense. Anyone who can edit
>>  /lib normally can also edit /etc etc.
>
> I disagree. The nonsense, instead, is comparing configuration files with source files.
> Config files are usually parsed by an application, which (hopefully) filters malicious intentions.
> QML files instead, are executed by the application no matter what.
> As long as "edited" QML files have a correct syntax, the QML engine executes them.

Exactly the same situation exists with binary plugins of Qt. Anyone with write access to plugins
directory can put malicious code in plugin at it will be executed by Qt. 

>
> Massimo
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> http://lists.qt-project.org/mailman/listinfo/development

-- 
Regards,
Konstantin



More information about the Development mailing list