On Sat, Jul 08, 2017 at 11:24:56AM +0000, Massimo Callegari via Development wrote:
>> 2) Security ? There is none. If you deploy an application using a TextField >> control with >> echoMode: TextInput.Password, one can easily add some trivial JavaScript >> code to the >> comfortably reachable QtQuick/Controls.2/TextField.qml file and somehow >> display/log a >> password. In general, an end user can seriously mess up an application by >> changing a few >> text files. I'm also wondering how Linux distributions can accept this. In >> my KDE Neon >> distro I've got /usr/lib/x86_64-linux-gnu/qt5/qml/ full of QML files that I >> can edit and >> compromise my system. > I'll not argue about the others, but this here is nonsense. Anyone who can > edit > /lib normally can also edit /etc etc. I disagree. The nonsense, instead, is comparing configuration files with source files. Config files are usually parsed by an application, which (hopefully) filters malicious intentions. QML files instead, are executed by the application no matter what. As long as "edited" QML files have a correct syntax, the QML engine executes them. Massimo _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
