[Development] How is Quick Controls 2 deployment meant to be ?

Massimo Callegari massimocallegari at yahoo.it
Sat Jul 8 21:16:33 CEST 2017 

@André

> Like a text editor that is used to edit /etc/passwd or /etc/group will "filter" malicious intentions when saving the file?


How you edit the files is irrelevant. /etc/passwd is interpreted by openssl. That is relevant. You clearly didn't get the point.
> And if I 'edit' /bin/ls to do the equivalent of 'rm -rf /' it will happily do that.

That's another story. You were comparing the content of /etc with QML files in /lib, and I replied to that.

> The fact that something is a 'text' file does not make it different, permissions make a difference.

True, but this discussion moved specifically to Linux, while what I mentioned in the first place was Windows, which is sadly still the most used platform in the world.

@Konstantin

> Exactly the same situation exists with binary plugins of Qt. Anyone with write access to plugins directory can put malicious code in plugin at it will be executed by Qt.

As if writing a shared library is the same thing of editing a text file with minimal JSON/JavaScript knowledge...


________________________________
Da: André Pönitz <apoenitz at t-online.de>
A: Massimo Callegari <massimocallegari at yahoo.it> 
Cc: Qt Development ML <development at qt-project.org>
Inviato: Sabato 8 Luglio 2017 20:22
Oggetto: Re: [Development] How is Quick Controls 2 deployment meant to be ?


On Sat, Jul 08, 2017 at 06:00:23PM +0000, Massimo Callegari wrote:
> 
> 
> On Sat, Jul 08, 2017 at 11:24:56AM +0000, Massimo Callegari via Development wrote:
> 
> >> 2) Security ? There is none.  If you deploy an application using a TextField control with
> >> echoMode: TextInput.Password, one can easily add some trivial JavaScript code to the
> >> comfortably reachable QtQuick/Controls.2/TextField.qml file and somehow display/log a
> >> password.  In general, an end user can seriously mess up an application by changing a few
> >> text files.  I'm also wondering how Linux distributions can accept this. In my KDE Neon
> >> distro I've got /usr/lib/x86_64-linux-gnu/qt5/qml/ full of QML files that I can edit and
> >> compromise my system.
> 
> > I'll not argue about the others, but this here is nonsense. Anyone who can edit
> > /lib normally can also edit /etc etc. 
> 
> 
> I disagree. The nonsense, instead, is comparing configuration files with source files.
> Config files are usually parsed by an application, which (hopefully) filters malicious intentions.

Like a text editor that is used to edit /etc/passwd or /etc/group will
"filter" malicious intentions when saving the file?


> QML files instead, are executed by the application no matter what.
> As long as "edited" QML files have a correct syntax, the QML engine executes them.

And if I 'edit' /bin/ls to do the equivalent of 'rm -rf /' it will happily
do that.

The fact that something is a 'text' file does not make it different,
permissions make a difference.

Andre'

More information about the Development mailing list