@André > Like a text editor that is used to edit /etc/passwd or /etc/group will > "filter" malicious intentions when saving the file?
How you edit the files is irrelevant. /etc/passwd is interpreted by openssl. That is relevant. You clearly didn't get the point. > And if I 'edit' /bin/ls to do the equivalent of 'rm -rf /' it will happily do > that. That's another story. You were comparing the content of /etc with QML files in /lib, and I replied to that. > The fact that something is a 'text' file does not make it different, > permissions make a difference. True, but this discussion moved specifically to Linux, while what I mentioned in the first place was Windows, which is sadly still the most used platform in the world. @Konstantin > Exactly the same situation exists with binary plugins of Qt. Anyone with > write access to plugins directory can put malicious code in plugin at it will > be executed by Qt. As if writing a shared library is the same thing of editing a text file with minimal JSON/JavaScript knowledge... ________________________________ Da: André Pönitz <[email protected]> A: Massimo Callegari <[email protected]> Cc: Qt Development ML <[email protected]> Inviato: Sabato 8 Luglio 2017 20:22 Oggetto: Re: [Development] How is Quick Controls 2 deployment meant to be ? On Sat, Jul 08, 2017 at 06:00:23PM +0000, Massimo Callegari wrote: > > > On Sat, Jul 08, 2017 at 11:24:56AM +0000, Massimo Callegari via Development > wrote: > > >> 2) Security ? There is none. If you deploy an application using a > >> TextField control with > >> echoMode: TextInput.Password, one can easily add some trivial JavaScript > >> code to the > >> comfortably reachable QtQuick/Controls.2/TextField.qml file and somehow > >> display/log a > >> password. In general, an end user can seriously mess up an application by > >> changing a few > >> text files. I'm also wondering how Linux distributions can accept this. > >> In my KDE Neon > >> distro I've got /usr/lib/x86_64-linux-gnu/qt5/qml/ full of QML files that > >> I can edit and > >> compromise my system. > > > I'll not argue about the others, but this here is nonsense. Anyone who can > > edit > > /lib normally can also edit /etc etc. > > > I disagree. The nonsense, instead, is comparing configuration files with > source files. > Config files are usually parsed by an application, which (hopefully) filters > malicious intentions. Like a text editor that is used to edit /etc/passwd or /etc/group will "filter" malicious intentions when saving the file? > QML files instead, are executed by the application no matter what. > As long as "edited" QML files have a correct syntax, the QML engine executes > them. And if I 'edit' /bin/ls to do the equivalent of 'rm -rf /' it will happily do that. The fact that something is a 'text' file does not make it different, permissions make a difference. Andre' _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
