08.07.2017, 21:01, "Massimo Callegari via Development" <development@qt-project.org>: > On Sat, Jul 08, 2017 at 11:24:56AM +0000, Massimo Callegari via Development > wrote: > >>> 2) Security ? There is none. If you deploy an application using a >>> TextField control with >>> echoMode: TextInput.Password, one can easily add some trivial JavaScript >>> code to the >>> comfortably reachable QtQuick/Controls.2/TextField.qml file and somehow >>> display/log a >>> password. In general, an end user can seriously mess up an application by >>> changing a few >>> text files. I'm also wondering how Linux distributions can accept this. In >>> my KDE Neon >>> distro I've got /usr/lib/x86_64-linux-gnu/qt5/qml/ full of QML files that >>> I can edit and >>> compromise my system. > >> I'll not argue about the others, but this here is nonsense. Anyone who can >> edit >> /lib normally can also edit /etc etc. > > I disagree. The nonsense, instead, is comparing configuration files with > source files. > Config files are usually parsed by an application, which (hopefully) filters > malicious intentions. > QML files instead, are executed by the application no matter what. > As long as "edited" QML files have a correct syntax, the QML engine executes > them.
Exactly the same situation exists with binary plugins of Qt. Anyone with write access to plugins directory can put malicious code in plugin at it will be executed by Qt. > > Massimo > _______________________________________________ > Development mailing list > Development@qt-project.org > http://lists.qt-project.org/mailman/listinfo/development -- Regards, Konstantin _______________________________________________ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
