[Development] QtCS2019 Notes from "Fuzzing Qt" BoF session

Oswald Buddenhagen oswald.buddenhagen at gmx.de
Fri Nov 22 19:27:11 CET 2019


On Fri, Nov 22, 2019 at 04:19:21PM +0000, Kai Koehne wrote:
>Anyhow, QCommandLineParser processes command line arguments from the 
>outside. These command line arguments might come from other tools, 
>output ... so it should be really robust in handling these.
>
"from the outside" is not the qualifier - "untrusted" is. and any 
application that passes on untrusted (not pre-validated) input to 
another one is beyond hope.

>QTranslator: The API is unfortunate in that the default directory were 
>translations are looked up is QDir::currentPath()...
>
uhm, that requires a more fundamental fix then - you certainly can see 
how displaying arbitrary messages might be a security risk in itself, 
irrespective of whether the .qm reader is safe or not.


More information about the Development mailing list