Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository

From: Borys Jurgiel [mailto:li...@borysjurgiel.pl] Sent: Friday, 26 January 2018 9:19 p.m. To: qgis-developer@lists.osgeo.org Cc: Daniel Silk; Luigi Pirelli Subject: Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository > Last time when I submitted such PR (#5

Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository

Dnia czwartek, 25 stycznia 2018 23:37:12 CET Daniel Silk pisze: > in my startup script then the official repository is successfully > replaced by our internal repository. Great! IIRC this stubborn overwriting your URL by the plugin installer was added in QGIS 1.8, when we changed the official

Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository

From: Luigi Pirelli [lui...@gmail.com] Sent: Friday, January 26, 2018 12:24 PM To: Daniel Silk Cc: qgis-developer@lists.osgeo.org Subject: Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository > btw, di d you try to override with a custom function with fil

Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository

7, Daniel Silk <ds...@linz.govt.nz> wrote: >> From: Luigi Pirelli [lui...@gmail.com] >> Sent: Thursday, January 25, 2018 10:38 PM >> To: Daniel Silk >> Cc: qgis-developer@lists.osgeo.org >> Subject: Re: [QGIS-Developer] Mitigating security risks of the Official >>

Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository

Cc: qgis-developer@lists.osgeo.org > Subject: Re: [QGIS-Developer] Mitigating security risks of the Official > Plugin Repository > >> as you can see reading the code in >> https://github.com/qgis/QGIS/blob/release-2_18/python/pyplugin_installer/installer_data.py#L316-L326 >>

Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository

From: Luigi Pirelli [lui...@gmail.com] Sent: Thursday, January 25, 2018 10:38 PM To: Daniel Silk Cc: qgis-developer@lists.osgeo.org Subject: Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository > as you can see reading the code in > https://github.com/qgis/QGI

Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository

On Thu, Jan 25, 2018 at 2:13 AM, Daniel Silk wrote: > Hi all > > I am currently involved in rolling QGIS 2.18 out in a corporate > environment. The security risk of a user installing a malicious plugin from > the Official Plugin Repository has come up. > > While we can ensure

Re: [QGIS-Developer] Mitigating security risks of the Official Plugin Repository

Hi Daniel as you can see reading the code in https://github.com/qgis/QGIS/blob/release-2_18/python/pyplugin_installer/installer_data.py#L316-L326 repos are get from Settings (that you can install a custom one via custom post install scripts) and repos are compared with officialRepo array that is

[QGIS-Developer] Mitigating security risks of the Official Plugin Repository

Hi all I am currently involved in rolling QGIS 2.18 out in a corporate environment. The security risk of a user installing a malicious plugin from the Official Plugin Repository has come up. While we can ensure our corporate plugin repository is immediately visible to all corporate users via