Details
-
Bug
-
Resolution: Unresolved
-
P2: Important
-
None
-
6.8.1, 6.9.0 Beta1
-
None
-
3
-
Foundation Sprint 122, Foundation Sprint 123, Foundation Sprint 124, Foundation Sprint 125, Foundation Sprint 126, Foundation Sprint 127
Description
QSaveFile follows symlinks unconditionally since https://codereview.qt-project.org/c/qt/qtbase/+/86396, but this is not always the desired behaviour.
When writing files to a disk cache, e.g., following symlinks out of
the cache directory is not needed; doing it nonetheless could pose a
security risk (by leveraging any elevated permissions the user of
QSaveFile may have over someone that can just create files in the
cache dir).
QTemporaryFile is not a replacement, because its rename() method
refuses to overwrite existing files. So Qt API doesn't have a way to
express the classical Unix pattern of mktmp + mv to safely escape
symlink attacks (see also the old bug-report QTBUG-2082, which I
reopened as a result).
So, we should add a mode to QSaveFile that makes it not follow symlinks. We might also want to add a variant of QTemporaryFile::rename() that does overwrite.
Attachments
Issue Links
- relates to
-
-
- Reported
-
Gerrit Reviews
| For Gerrit Dashboard: QTBUG-132620 | ||||||
|---|---|---|---|---|---|---|
| # | Subject | Branch | Project | Status | CR | V |
| 615500,9 | QSaveFile: add private API to disable symlink following | dev | qt/qtbase | Status: NEW | -1 | 0 |
| 616260,3 | QSaveFile: add (public) API to disable following symlinks | dev | qt/qtbase | Status: NEW | -1 | 0 |
| 616554,3 | QGeoFileTileCache: ignore symlinks | dev | qt/qtlocation | Status: NEW | -1 | 0 |
| 616559,2 | QGeoFileTileCache: port QSaveFile to public DontFollowSymlinks API | dev | qt/qtlocation | Status: NEW | +2 | 0 |