On Sat, Jul 08, 2017 at 06:00:23PM +0000, Massimo Callegari wrote: > > > On Sat, Jul 08, 2017 at 11:24:56AM +0000, Massimo Callegari via Development > wrote: > > >> 2) Security ? There is none. If you deploy an application using a > >> TextField control with > >> echoMode: TextInput.Password, one can easily add some trivial JavaScript > >> code to the > >> comfortably reachable QtQuick/Controls.2/TextField.qml file and somehow > >> display/log a > >> password. In general, an end user can seriously mess up an application by > >> changing a few > >> text files. I'm also wondering how Linux distributions can accept this. > >> In my KDE Neon > >> distro I've got /usr/lib/x86_64-linux-gnu/qt5/qml/ full of QML files that > >> I can edit and > >> compromise my system. > > > I'll not argue about the others, but this here is nonsense. Anyone who can > > edit > > /lib normally can also edit /etc etc. > > > I disagree. The nonsense, instead, is comparing configuration files with > source files. > Config files are usually parsed by an application, which (hopefully) filters > malicious intentions.
Like a text editor that is used to edit /etc/passwd or /etc/group will "filter" malicious intentions when saving the file? > QML files instead, are executed by the application no matter what. > As long as "edited" QML files have a correct syntax, the QML engine executes > them. And if I 'edit' /bin/ls to do the equivalent of 'rm -rf /' it will happily do that. The fact that something is a 'text' file does not make it different, permissions make a difference. Andre' _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
