[Development] QtCS2019 Notes from "Fuzzing Qt" BoF session
Oswald Buddenhagen
oswald.buddenhagen at gmx.de
Fri Nov 22 19:27:11 CET 2019
On Fri, Nov 22, 2019 at 04:19:21PM +0000, Kai Koehne wrote:
>Anyhow, QCommandLineParser processes command line arguments from the
>outside. These command line arguments might come from other tools,
>output ... so it should be really robust in handling these.
>
"from the outside" is not the qualifier - "untrusted" is. and any
application that passes on untrusted (not pre-validated) input to
another one is beyond hope.
>QTranslator: The API is unfortunate in that the default directory were
>translations are looked up is QDir::currentPath()...
>
uhm, that requires a more fundamental fix then - you certainly can see
how displaying arbitrary messages might be a security risk in itself,
irrespective of whether the .qm reader is safe or not.
More information about the Development
mailing list