Details
-
Bug
-
Resolution: Unresolved
-
P2: Important
-
None
-
6.8.1, 6.9.0 Beta1
-
None
-
3
-
Foundation Sprint 122, Foundation Sprint 123, Foundation Sprint 124, Foundation Sprint 125, Foundation Sprint 126, Foundation Sprint 127, Foundation Sprint 128, Foundation Sprint 129, Foundation Sprint 130
Description
QSaveFile follows symlinks unconditionally since https://codereview.qt-project.org/c/qt/qtbase/+/86396, but this is not always the desired behaviour.
When writing files to a disk cache, e.g., following symlinks out of
the cache directory is not needed; doing it nonetheless could pose a
security risk (by leveraging any elevated permissions the user of
QSaveFile may have over someone that can just create files in the
cache dir).
QTemporaryFile is not a replacement, because its rename() method
refuses to overwrite existing files. So Qt API doesn't have a way to
express the classical Unix pattern of mktmp + mv to safely escape
symlink attacks (see also the old bug-report QTBUG-2082, which I
reopened as a result).
So, we should add a mode to QSaveFile that makes it not follow symlinks. We might also want to add a variant of QTemporaryFile::rename() that does overwrite.
Attachments
Issue Links
- relates to
-
-
- Reported
-
Gerrit Reviews
| For Gerrit Dashboard: QTBUG-132620 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 615500,9 | QSaveFile: add private API to disable symlink following | dev | qt/qtbase | Status: NEW | -1 | 0 |
| 616260,3 | QSaveFile: add (public) API to disable following symlinks | dev | qt/qtbase | Status: NEW | -1 | 0 |
| 616554,3 | QGeoFileTileCache: ignore symlinks | dev | qt/qtlocation | Status: NEW | -1 | 0 |
| 616559,2 | QGeoFileTileCache: port QSaveFile to public DontFollowSymlinks API | dev | qt/qtlocation | Status: NEW | +2 | 0 |